Monitoring and logging are critical aspects of system administration and DevOps. The tail, journalctl, and rsyslog commands provide powerful tools for tracking and analyzing system events and logs in a Linux environment.
tail Command
Basic Syntax
tail [options] [file(s)]
Common Options
-n: Show the last N lines-f: Follow the file, displaying new content as it’s added-c: Show the last N bytes
Usage Examples
# Show the last 10 lines of a log file
$ tail -n 10 /var/log/syslog
# Follow a log file in real-time
$ tail -f /var/log/nginx/access.log
journalctl Command
Basic Syntax
journalctl [options]
Common Options
-u: Show logs for a specific systemd unit-p: Show logs with a minimum priority level-n: Show the last N log entries-f: Follow the journal, displaying new entries as they’re added
Usage Examples
# Show the last 20 journal entries
$ journalctl -n 20
# View logs for the nginx service
$ journalctl -u nginx.service
# Follow the journal in real-time
$ journalctl -f
rsyslog Daemon
Overview
rsyslog is the default system logging daemon in many Linux distributions. It’s responsible for collecting, processing, and storing system logs.
Common Configuration Files
/etc/rsyslog.conf: Main configuration file/etc/rsyslog.d/*.conf: Additional configuration files
Usage Examples
# Restart the rsyslog service
$ sudo systemctl restart rsyslog
# View the rsyslog configuration
$ cat /etc/rsyslog.conf
Common Use Cases
-
Log Monitoring
# Monitor the system log in real-time $ tail -f /var/log/syslog $ journalctl -f -
Troubleshooting
# Check logs for error messages $ grep "error" /var/log/syslog $ journalctl -p err -b -
Automated Log Analysis
# Monitor logs for specific events and send alerts $ while true; do if grep "CRIT" /var/log/syslog; then echo "Critical error detected!" fi sleep 60 done
Tips and Tricks
-
Customize journalctl Output
# Show logs with a specific priority $ journalctl -p warning # Filter logs by a specific service $ journalctl -u nginx.service -
Manage rsyslog Configuration
# Add a custom log rule $ echo "local0.* /var/log/myapp.log" | sudo tee /etc/rsyslog.d/myapp.conf # Reload rsyslog configuration $ sudo systemctl reload rsyslog -
Automate Log Rotation
# Configure logrotate to rotate logs daily $ sudo vi /etc/logrotate.d/syslog
Best Practices
-
Monitor Critical Logs
# Check system logs regularly $ journalctl -p err -b -
Centralize Logging
# Configure rsyslog to send logs to a central server $ sudo vi /etc/rsyslog.conf -
Secure Log Access
# Restrict access to log files $ sudo chmod 640 /var/log/syslog
Common Errors and Solutions
-
Permission Denied
# Use sudo for restricted log files $ sudo tail -n 10 /var/log/syslog -
Journal Not Available
# Check if systemd-journald is running $ sudo systemctl status systemd-journald -
rsyslog Configuration Issues
# Verify rsyslog configuration syntax $ sudo rsyslogd -N1
Related Commands
dmesg: Display kernel ring bufferlogger: Add entries to the system loglogrotate: Rotate, compress, and mail log filessyslog-ng: Alternative system logging daemon
Advanced Usage
1. Centralized Logging with rsyslog
# Configure rsyslog to send logs to a remote server
$ sudo vi /etc/rsyslog.conf
*.* @remote_syslog_server:514
2. Monitoring Logs with Scripts
#!/bin/bash
# Monitor logs for errors and send alerts
while true; do
if grep "error" /var/log/syslog; then
echo "Error detected! $(date)" | mail -s "System Alert" [email protected]
fi
sleep 60
done
3. Analyzing Logs with awk and sed
# Extract error messages from syslog
$ grep "error" /var/log/syslog | awk '{print $3, $5, $6, $7, $8, $9}'
# Count the number of failed login attempts
$ grep "Failed password" /var/log/auth.log | sed 's/.*for \([^ ]*\).*/\1/g' | sort | uniq -c
Monitoring and logging are essential for maintaining the health and security of a Linux system. The tail, journalctl, and rsyslog commands provide powerful tools for DevOps professionals to effectively track, analyze, and manage system logs and events.