The rsyslog daemon is a log entry management facility whose main configuration file is /etc/rsyslog.conf. The configuration of this file consists of 3 parts: facility, priority & action.
Facilities Priorities Actions ______________
kern emerg /path/filename → dumps messages onto the file
user alert @ip_address → sends messages to IP:514 over udp
mail crit @ip_address:port → sends messages to IP:port over udp
daemon err @@ip_address → sends messages to IP over tcp
auth warning @@[2001:db8::1] → sends messages to IP over tcp
syslog notice /dev/console → sends messages to the local consoles
lpr info marc → sends messages to the terminals of user marc
news debug * → sends messages to the terminals of all users
uucp /home/jan/check.sh → execute shell script
cron insert record in database (MySQL / PosgtreSQL)
authpriv ~ → discards message
Let’s look at some examples first to make sense of it all. The example below dumps all messages sent by the kernel facility onto the kernel.log file regardless of the priority.
The next example dumps messages sent by the mail facility onto the mail.log file as long as they have a critical priority or higher.
The following one dumps messages sent by the cron facility onto the cron.log file as long as they do not have info or debug priorities (so notice or higher priority).
The next one dumps messages sent by lpr of critical or higher priority as well as those sent by ftp with priority set to alert (not higher or lower) onto messages.log.
The next example sends all messages from the kern facility of crit or higher priority, onto the terminals of user marc, onto the file kernel.log and also to the given host over udp to the default port 514.
kern.crit marc & /var/log/kernel.log & @192.168.0.5
The rsyslogd daemon offers more complex configuration options that the ones covered above. But if your needs cannot be fulfilled with the examples above, then it’s better to check man rsyslog.conf.
If we want to examine log files and we are using a graphical interface (graphical.target) it might be best to use the GUI gnome-system-log.
We can also use journalctl as we shall see in the next section.