For the purposes of kernel logging, why do I have three different, non-inclusive levels of logging amongst /var/log/messages
, /var/log/syslog
, and /var/log/kern.log
?
2 Answers
Syslog is a standard logging facility. It collects messages of various programs and services including the kernel, and stores them, depending on setup, in a bunch of log files typically under /var/log
. In some datacenter setups there are hundreds of devices each with its own log; syslog comes in handy here too. One just sets up a dedicated syslog server which collects all the individual device logs over the network. Syslog can also save logs to databases, and other clients.
According to my /etc/syslog.conf
, default /var/log/kern.log
captures only the kernel's messages of any loglevel; i.e. the output of dmesg
.
/var/log/messages
instead aims at storing valuable, non-debug and non-critical messages. This log should be considered the "general system activity" log.
/var/log/syslog
in turn logs everything, except auth related messages.
Other insteresting standard logs managed by syslog are /var/log/auth.log
, /var/log/mail.log
.
2020 update
You may still stumble upon syslog; but the defaults have changed.
journald
has replaced syslog, in quite a big portion of systems, including Ubuntu.
This is relevant because you won't be finding /var/log/messages
that often anymore. journald
doesn't write plaintext logs — it uses its own, compressed and partially authenticated format.
Search online for e.g. journalctl cheatsheet, or just study man 8 systemd-journald
, man 1 journalctl
yourself.
Syslog and journald are, to a degree, cross-compatible; you can transport logs between them in either direction. However, you won't get plaintext logs a-la /var/log/messages
with journald; and you won't get structured (journalctl -o json-pretty
) and authenticated logging with syslog.
-
1
-
9
-
2Note that entries in the kernel ring buffer (what dmesg reads) won't make it into any /var/log file by default if they were written by a user space process. You need to set
$KLogPermitNonKernelFacility on
in rsyslogd's config if you want to see those messages in/var/log
. See my answer at askubuntu.com/a/490900/297973 for more details. Commented Jul 2, 2014 at 17:54 -
9also worth noting that ubuntu (since natty) no longer uses
/var/log/messages
, and stores everything on/var/log/syslog
Commented Jan 23, 2015 at 17:29 -
2in Ubuntu 16.04
/var/log/syslog
is indeed a clean superset of/var/log/kern.log
with the caveat that one has to account for different rotation strategies. E.g. in my system (default config unchanged) today's and yesterday's messages are kept in a single file in/var/log/kern.log
whereas most of yesterday's messages forsyslog
are in/var/log/syslog.1
. Commented Nov 12, 2016 at 18:25
- syslog contains all the messages except of type auth.
- messages contains only generic non-critical messages. The category is
info
,notice
andwarn
- For complete log look at
/var/log/syslog
and/var/log/auth.log
- AFAIK
/var/log/kern.log
contains kernel messages. - log files are just a convention spelled out in /etc/syslog.conf
- read
syslog(3)
for more information
Check this page about differences between messages and syslog
it says /var/log/messages
⊂ /var/log/syslog
-
1
-
2
-
4Duplicating the comment an ulidtko's answer: also worth noting that ubuntu (since natty) no longer uses
/var/log/messages
, and stores everything on/var/log/syslog
Commented Jan 23, 2015 at 17:30
journalctl
is slowly replacingsyslog
as go to resource for monitoring system messages.