How to check syslog in Bash on Linux?

101
votes

In C we log this way:

syslog( LOG_INFO, "proxying %s", url );

In Linux how can we check the log?

7
linuxbashsyslog
Doesn't the function syslog write to the system log? (Unless you're talking about the lower-level one for accessing the kernel message ring buffer, but I doubt url is an int.)Cascabel
this Q should be migrated to unix.SE.com, not sure if it's worth it to flag for mod's attention (I flagged).Alexander Malakhov

7 Answers

160
votes

How about less /var/log/syslog?

43
votes

On Fedora 19, it looks like the answer is /var/log/messages. Although check /etc/rsyslog.conf if it has been changed.

32
votes

By default it's logged into system log at /var/log/syslog, so it can be read by:

tail -f /var/log/syslog

If the file doesn't exist, check /etc/syslog.conf to see configuration file for syslogd. Note that the configuration file could be different, so check the running process if it's using different file:

# ps wuax | grep syslog
root      /sbin/syslogd -f /etc/syslog-knoppix.conf

Note: In some distributions (such as Knoppix) all logged messages could be sent into different terminal (e.g. /dev/tty12), so to access e.g. tty12 try pressing Control+Alt+F12.

You can also use lsof tool to find out which log file the syslogd process is using, e.g.

sudo lsof -p $(pgrep syslog) | grep log$

To send the test message to syslogd in shell, you may try:

echo test | logger

For troubleshooting use a trace tool (strace on Linux, dtruss on Unix), e.g.:

sudo strace -fp $(cat /var/run/syslogd.pid)
25
votes

A very cool util is journalctl.

For example, to show syslog to console: journalctl -t <syslog-ident>, where <syslog-ident> is identity you gave to function openlog to initialize syslog.

14
votes

tail -f /var/log/syslog | grep process_name where process_name is the name of the process we are interested in

3
votes

If you like Vim, it has built-in syntax highlighting for the syslog file, e.g. it will highlight error messages in red.

vi +'syntax on' /var/log/syslog
0
votes

On some Linux systems (e.g. Debian and Ubuntu) syslog is rotated daily and you have multiple log files where two newest files are uncompressed while older ones are compressed:

$ ls -l /var/log/syslog*
-rw-r----- 1 root adm  888238 Aug 25 12:02 /var/log/syslog
-rw-r----- 1 root adm 1438588 Aug 25 00:05 /var/log/syslog.1
-rw-r----- 1 root adm   95161 Aug 24 00:07 /var/log/syslog.2.gz
-rw-r----- 1 root adm  103829 Aug 23 00:08 /var/log/syslog.3.gz
-rw-r----- 1 root adm   82679 Aug 22 00:06 /var/log/syslog.4.gz
-rw-r----- 1 root adm  270313 Aug 21 00:10 /var/log/syslog.5.gz
-rw-r----- 1 root adm  110724 Aug 20 00:09 /var/log/syslog.6.gz
-rw-r----- 1 root adm  178880 Aug 19 00:08 /var/log/syslog.7.gz

To search all the syslog files you can use the following commands:

$ sudo zcat -f `ls -tr /var/log/syslog*` | grep -i error | less

where zcat first decompresses and prints all syslog files (oldest first), grep makes a search and less is paging the results of the search.

To do the same but with the lines prefixed with the name of the syslog file you can use zgrep:

$ sudo zgrep -i error `ls -tr /var/log/syslog*` | less

$ zgrep -V | grep zgrep
zgrep (gzip) 1.6

In both cases sudo is required if syslog files are not readable by ordinary users.