How to tell if syslog.conf has a typo

configurationlogssyslog

I recently did in fact have a typo in my syslog.conf file, but I had no idea initially why I couldn't restart the daemon. In Ubuntu, all I seemed to get was a FAIL message after a rather long wait period.

Without it running properly, I was curious, is there a way I could have figured it out without scouring random logs pointlessly before considering there may have been a typo?

Edit: I really felt like using service to start/restart/etc the daemon should have given more than FAIL. Perhaps it does and I just don't know where to look, but if another service had a similar silly issue, I'd hope to be able to figure it out easily as well.

Best Answer

Probably the easiest way to do this would be to use syslogd's debug switch, -d. You can invoke syslogd manually like so.

First disable any currently running syslogd:

$ sudo service syslogd stop

Then run it manually with the following switches:

$ sudo syslogd -d -f /etc/syslog.conf

Example

I don't have a working syslogd accessible but it would be very similar to rsyslogd. Here I'm invoking rsyslogd:

 $ sudo rsyslogd -d -f /etc/rsyslog.conf
1647.845869757:7fab7df4b720: rsyslogd 4.6.3 startup, compatibility mode 0, module path ''
1647.846009627:7fab7df4b720: caller requested object 'net', not found (iRet -3003)
1647.846026890:7fab7df4b720: Requested to load module 'lmnet'
1647.846035733:7fab7df4b720: loading module '/lib64/rsyslog/lmnet.so'
1647.846155408:7fab7df4b720: module of type 2 being loaded.
1647.846167849:7fab7df4b720: source file conf.c requested reference for module 'lmnet', reference count now 1
1647.846178301:7fab7df4b720: rsyslog runtime initialized, version 4.6.3, current users 1
1647.846196912:7fab7df4b720: source file syslogd.c requested reference for module 'lmnet', reference count now 2
1647.848016526:7fab7df4b720: module of type 1 being loaded.

Testing

You can then use the command line tool logger to simulate messages of various types to syslogd. Again here I'm using rsyslogd as a stand in so the messaging will be different but the effect is still the same with either one.

Sending a test message
```
$ logger -t testmsg "hello world."
```

Results

2439.368194624:7f461fee9700: Message from UNIX socket: #3
2439.368226046:7f461fee9700: logmsg: flags 4, from 'grinchy', msg Aug 20 03:07:19 testmsg: hello world.
2439.368234458:7f461fee9700: Message has legacy syslog format.
2439.368247194:7f461fee9700: main Q: entry added, size now 1 entries
2439.368257698:7f461fee9700: wtpAdviseMaxWorkers signals busy
2439.368271525:7f461fee9700: main Q: EnqueueMsg advised worker start
2439.368283031:7f461fee9700: --------imuxsock calling select, active file descriptors (max 3): 3 
2439.368305014:7f46206ea700: main Q: entry deleted, state 0, size now 0 entries
2439.368329151:7f46206ea700: testing filter, f_pmask 127
2439.368340032:7f46206ea700: Called action, logging to builtin-file
2439.368354849:7f46206ea700: file to log to: /var/log/messages
2439.368361837:7f46206ea700: doWrite, pData->pStrm 0x7f462480a310, lenBuf 46
2439.368370439:7f46206ea700: strm 0x7f462480a310: file 5(messages) flush, buflen 46
2439.368413234:7f46206ea700: strm 0x7f462480a310: file 5 write wrote 46 bytes
2439.368424063:7f46206ea700: testing filter, f_pmask 0
2439.368431098:7f46206ea700: testing filter, f_pmask 0
2439.368437738:7f46206ea700: testing filter, f_pmask 0
2439.368444401:7f46206ea700: testing filter, f_pmask 1
2439.368450861:7f46206ea700: testing filter, f_pmask 0
2439.368457433:7f46206ea700: testing filter, f_pmask 0
2439.368464826:7f46206ea700: main Q:Reg/w0: worker IDLE, waiting for work.

Log file's message

Aug 20 03:07:12 grinchy testmsg: hello world.

Another Example

Sample message

$ logger -p daemon.warn "this is only a test."

Results

2008.317255462:7f3d13a95700: Message from UNIX socket: #3
2008.317287162:7f3d13a95700: logmsg: flags 4, from 'grinchy', msg Aug 20 03:00:08 saml: this is only a test.
2008.317295844:7f3d13a95700: Message has legacy syslog format.
2008.317307482:7f3d13a95700: main Q: entry added, size now 1 entries
2008.317317586:7f3d13a95700: wtpAdviseMaxWorkers signals busy
2008.317328948:7f3d13a95700: main Q: EnqueueMsg advised worker start
2008.317339316:7f3d13a95700: --------imuxsock calling select, active file descriptors (max 3): 3 
2008.317362187:7f3d14296700: main Q: entry deleted, state 0, size now 0 entries
2008.317375008:7f3d14296700: testing filter, f_pmask 127
2008.317386832:7f3d14296700: Called action, logging to builtin-file
2008.317401184:7f3d14296700: file to log to: /var/log/messages
2008.317409775:7f3d14296700: doWrite, pData->pStrm 0x7f3d17506310, lenBuf 51
2008.317418935:7f3d14296700: strm 0x7f3d17506310: file 5(messages) flush, buflen 51
2008.317454814:7f3d14296700: strm 0x7f3d17506310: file 5 write wrote 51 bytes
2008.317466838:7f3d14296700: testing filter, f_pmask 0
2008.317474391:7f3d14296700: testing filter, f_pmask 0
2008.317481448:7f3d14296700: testing filter, f_pmask 0
2008.317488503:7f3d14296700: testing filter, f_pmask 1
2008.317495259:7f3d14296700: testing filter, f_pmask 0
2008.317502407:7f3d14296700: testing filter, f_pmask 0
2008.317509079:7f3d14296700: main Q:Reg/w0: worker IDLE, waiting for work.

This line contains our message

2008.317287162:7f3d13a95700: logmsg: flags 4, from 'grinchy', msg Aug 20 03:00:08 saml: this is only a test.

When you're done, simply Ctrl + C to terminate it.

References

syslog

Take a look in the man page for iptables. It shows a target called LOG which can do what you want.

Example

Set the logging level for LOG to 4.

# DROP everything and Log it
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP

Configure syslog.conf to write these messages to a separate file.
```
# /etc/syslog.conf
kern.warning     /var/log/iptables.log
```

Restart syslogd.

Debian/Ubuntu

$ sudo /etc/init.d/sysklogd restart

Fedora/CentOS/RHEL

$ sudo /etc/init.d/syslog restart

NOTE: This method of logging is called fixed priorities. They are either numbers or names (1,2,3,4,..) or (DEBUG, WARN, INFO, etc.).

rsyslog

If by chance you're using rsyslog, you can create a property based filter like so:

# /etc/rsyslog.conf
:msg, contains, "NETFILTER"       /var/log/iptables.log
:msg, contains, "NETFILTER"     ~

Then add thils switch to your iptables rules that you want to log:

–log-prefix NETFILTER

As an alternative you could also log the messages using this type of property filter:

:msg, startswith, "iptables: " -/var/log/iptables.log
& ~
:msg, regex, "^\[ *[0-9]*\.[0-9]*\] iptables: " -/var/log/iptables.log
& ~

NOTE: This 2nd method doesn't require any changes to iptables.

References

Way to tell how many times the computer has rebooted in a 24 hour period

System reboots are usually logged in the binary file /var/log/wtmp. The easiest way to read that file is using the last command which prints lines like this for every reboot:

reboot   system boot  3.10-3-amd64     Fri May  2 19:30 - 21:02 (5+01:32)

so if you issue last reboot, you'll get a list of all reboots logged to your wtmp file.

Best Answer

Example

Testing

Another Example

References

Related Solutions

Linux – How to configure syslog.conf file, to log iptables messages in a separate file

syslog

Example

rsyslog

References

Way to tell how many times the computer has rebooted in a 24 hour period

Related Question