Administration
syslog
System logging and syslog daemon management.
Additional Notes
syslog refers to both the standard system logging protocol and the traditional syslog daemon that collects, processes, and stores log messages from the kernel, services, and applications. On modern Linux systems, rsyslogd or syslog-ng typically provide the syslog service, with journald (part of systemd) often running alongside for structured logging.
Log messages are categorized by facility (kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, local0-local7, etc.) and priority (emerg, alert, crit, err, warning, notice, info, debug). Configuration files (typically /etc/rsyslog.conf and /etc/rsyslog.d/) define where different message categories are logged.
Syntax
# Traditional syslog commands
logger [options] message
Key Concepts
Facilities: kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0-local7.
Priorities: emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), debug (7).
Commands
The primary user-facing command for syslog is logger, which sends messages to the syslog system.
logger Options
-p facility.priority: Specify the facility and priority (default:user.notice).-t tag: Mark the message with a specific tag.-i: Include the PID of the logger process.-f file: Log the contents of a file.-s: Also output the message to stderr.-n server: Send the message to a remote syslog server.-P port: Specify the remote syslog server port (default: 514).--id: Include the current process PID.--rfc3164: Use the older BSD syslog format.--rfc5424: Use the newer RFC 5424 syslog format.
Parameters
options: Flags that change howsyslogbehaves.target: Optional file, device, interface, user, service, or command target when the command supports one.
Examples
logger "Backup completed successfully"
Send a simple log message.
logger -p mail.info -t sendmail "Queue processed"
Send a log message with mail facility and info priority, tagged as sendmail.
logger -s -p local0.err -t myapp "Application error occurred"
Log an error on local0 facility tagged myapp, also printing to stderr.
logger -n logserver.example.com -P 514 "Remote log entry"
Send a log message to a remote syslog server.
logger -f /var/log/audit.log -t audit-restore
Send the contents of a file to syslog.
Practical Notes
journalctlreads the systemd journal;tail -f /var/log/syslogortail -f /var/log/messagesreads traditional syslog files.- Syslog-ng and rsyslog both support TCP transport, TLS encryption, and database logging.
- Log rotation is handled by
logrotateto prevent logs from filling the disk. - The syslog protocol uses UDP port 514 by default, but TCP port 6514 is common for encrypted syslog.
- Centralized logging architectures forward logs from multiple hosts to a dedicated syslog server.
- Modern logging infrastructure often combines syslog with tools like Logstash, Graylog, or Splunk.