unix sysadmin archives
Donation will make us pay more time on the project:
          

Monday 13 June 2011

System Logs

One of the major jobs that a typical UNIX administrator performs is the system monitoring.  He or she uses a lot of utilities, tricks, and systems regularly to aid in the process of administration.
 
Most UNIX systems use the syslog, a generic logging system that is used by the operating system and applications and services to log information. The syslog records a whole host of data, including logins, performance information, and failures reported by different hardware and systems. 

In addition to the syslog, systems also have a variety of service, environment, and application logs that record information about the machine and its operation. Syslog allows you to encode messages by level and by facility. Levels can be considered various levels of a problem whereas facilities are considered to be service areas. Syslog also allows you to forward log entries to another machine for processing, in this way syslog functions as a distributed error manager.

For the Solaris 10 OS, the syslog function, the syslogd daemon, and input from the /etc/syslog.conf file work together to facilitate system messaging.
The daemon can write messages to a system log, forward messages to a centralized log host, forward messages to a list of users, write messages to the system console.

In actual, the syslogd daemon runs the m4 macro processor to parse the /etc/syslog.conf file into statements that can be used by the syslogd process.
Comments in the /etc/syslog.conf file are not sent to the syslogd daemon.
If an ifdef statement is encountered it is evaluated for a True or False condition. A different value is sent to the syslogd daemon for each condition.
Statements that are not comments or ifdef statements are passed to the syslogd daemon as a selector field and an action field.

The location of the various log files varies from system to system. For Solaris 10 OS, most of the logs are in /var/adm and in /var/log

The levels available are the following:

 LOG_EMERG    A panic condition.  This is normally broadcast to all users.
 LOG_ALERT    A condition that should be corrected immediately such as a corrupted system database.
 LOG_CRIT    Critical conditions, e.g., hard device errors.
 LOG_ERR    Errors.
 LOG_WARNING    Warning messages.
 LOG_NOTICE    Conditions that are not error conditions, but should possibly be handled specially.
 LOG_INFO    Informational messages.
 LOG_DEBUG    Messages that contain information normally of use only when debugging a program.

And here are the facilities under which you can log messages:

 LOG_KERN    Messages generated by the kernel.  These cannot be generated by any user processes.
 LOG_USER    Messages generated by random user processes.  This is the default facility identifier if none is specified.
 LOG_MAIL    The mail system.
 LOG_DAEMON    System daemons, such as routed(1M), ftpd(1M), rshd(1M), etc.
 LOG_AUTH    The authorization system:  login(1), su(1M), getty(1M), etc.  ftpd(1M), and rshd(1M) also use LOG_AUTH.
 LOG_LPR    The line printer spooling system:  lpr(1), lpd(1M), etc.
 LOG_LOCAL0    Reserved for local use.  Similarly for LOG_LOCAL1 through LOG_LOCAL7.

Sample /var/adm/messages

Jun  13 09:16:59 reciosys01ata: [ID 496167 kern.info] cmdk2 at ata1 target 0 lun 0
Jun  13 09:16:59 reciosys01genunix: [ID 936769 kern.info] cmdk2 is /pci@0,0/pci-ide@1f,1/ide@1/cmdk@0,0
Jun  13 09:16:60 reciosys01asy: [ID 267298 kern.notice] asy0: UART @ 3f8 scratch register: expected 0x5a, got 0xff
Jun  13 09:16:60 reciosys01asy: [ID 702181 kern.notice] Cannot identify UART chip at 3f8
Jun  13 09:16:60 reciosys01asy: [ID 267298 kern.notice] asy1: UART @ 2f8 scratch register: expected 0x5a, got 0xff
Jun  13 09:16:60 reciosys01asy: [ID 702181 kern.notice] Cannot identify UART chip at 2f8
Jun  13 09:17:02 reciosys01genunix: [ID 314293 kern.info] device pciclass,030000@2(display#0) keeps up device sd@1,0(sd#1), but the latter is not power managed
Jun  13 09:17:02 reciosys01/usr/lib/power/powerd: [ID 387247 daemon.error]  Able to open /dev/srn
Jun  13 09:17:09 reciosys01/sbin/dhcpagent[164]: [ID 778557 daemon.warning]  configure_v4_lease: no IP broadcast specified for ni0, making best guess
Jun  13 09:17:32 reciosys01sendmail[503]: [ID 702911 mail.crit] My unqualified host name  (reciosys01) unknown; sleeping for retry
Jun  13 09:17:33 reciosys01sendmail[507]: [ID 702911 mail.crit] My unqualified host name (reciosys01) unknown; sleeping for retry
Jun  13 09:17:49 reciosys01svc.startd[7]: [ID 652011 daemon.warning]  svc:/system/webconsole:console: Method "/lib/svc/method/svc-webconsole start" failed with exit status 95.
Jun  13 09:17:49 reciosys01svc.startd[7]: [ID 748625 daemon.error] system/webconsole:console failed fatally: transitioned to maintenance (see 'svcs -xv' for details)
Jun  13 09:17:56 reciosys01pseudo: [ID 129642 kern.info] pseudo-device: devinfo0
Jun  13 09:17:56 reciosys01genunix: [ID 936769 kern.info] devinfo0 is /pseudo/devinfo@0
Jun  13 09:18:32 reciosys01sendmail[503]: [ID 702911 mail.alert] unable to qualify my own domain name (reciosys01) -- using short name
Jun  13 09:18:33 reciosys01sendmail[507]: [ID 702911 mail.alert] unable to qualify my own domain name (reciosys01) -- using short name



And in this example you can see some faults on tape drive being reported by a running filesystem.

Jun 11 14:08:29 reciosys01 bptm[10949]: [ID 842812 daemon.warning] TapeAlert Code: 0x03, Type: Warning, Flag: HARD ERROR, from drive MWC-30-F04-D03 (index 39), Media Id J15113
Jun 11 14:08:30 reciosys01 bptm[10949]: [ID 988370 daemon.warning] TapeAlert Code: 0x27, Type: Warning, Flag: DIAGNOSTICS REQ., from drive MWC-30-F04-D03 (index 39), Media Id J15113
Jun 11 14:08:30 reciosys01 bptm[10949]: [ID 325195 daemon.crit] TapeAlert Code: 0x37, Type: Critical, Flag: LOADING FAILURE, from drive MWC-30-F04-D03 (index 39), Media Id J15113


We’ll add some more in the future.





No comments:

Post a Comment