Monday, 20 January 2014

Advanced message logging

AIX logs many messages to several places, however this often vital information is lost unless the system is correctly configured.

1. The principle subsystem for collecting messages is syslog

2. syslogd must be started (Check /etc/rc.tcpip)

# grep syslog /etc/rc.tcpip
# Start up syslog daemon (for error and event logging)
start /usr/sbin/syslogd "$src_running" -r

3. Ensure that "/etc/syslog.conf" exists and that any files referenced exist BEFORE syslogd was started.

4. Ensure there is sufficient space in the filesystem where the logging is taking place

5. Check there are no stray control or special characters in the configuration file as this can confuse the system and cause message loss.

6. Fine tune and test your configuration (eg.)

# cat /etc/syslog.conf    /var/adm/messages rotate size 8m compress files 7             /var/adm/wrappers.log rotate size 8m compress files 7             /var/adm/sftp-server.log rotate size 8m compress files 7
mail.debug                      /var/adm/mail.log               rotate  size 8m compress files 7
*.debug;local0.none;local7.none /var/adm/messages               rotate  size 8m compress files 7

In this example the log files are limited to 8MB and when a file exceeds this it is backed-up and upto seven rotated copies are maintained e.g.:

# ls -l /var/adm/messages*
-rw-r--r--    1 root     system      2434639 Jan 20 11:50 /var/adm/messages
-rw-r--r--    1 root     system       485237 Dec 19 11:31 /var/adm/messages.0.Z
-rw-r--r--    1 root     system       540774 Dec 19 11:26 /var/adm/messages.1.Z
-rw-r--r--    1 root     system       328879 Dec 19 10:06 /var/adm/messages.2.Z
-rw-r--r--    1 root     system       588315 Dec 19 09:22 /var/adm/messages.3.Z
-rw-r--r--    1 root     system       421498 Dec 18 12:20 /var/adm/messages.4.Z
-rw-r--r--    1 root     system       439781 Dec 18 09:43 /var/adm/messages.5.Z
-rw-r--r--    1 root     system       445143 Dec 16 16:05 /var/adm/messages.6.Z

Further copies can be created by using the archive keyword.

7. By default each entry logs all messages at and ABOVE the level described e.g. "*.debug" will log every single system message to this file. To restrict logging only to that level use the ".none" keyword. e.g. "*.debug;local0.none;local7.none".

Note: If you want to specify multiple logging levels use the ";" to separate them.

8. By default the syslog daemon accepts messages from other systems. If you wish to override this behaviour start syslogd with the "-r" option.

No comments:

Post a Comment