[Sussex] Red Hat Enterprise syslog question

Jon Fautley jfautley at redhat.com
Thu May 11 10:46:31 UTC 2006 

paul.morriss at tokenbay.co.uk wrote:
> Dear all,
> 
> I have been trying to find out the log file (syslog) format of Red Hat
> Linux Enterprise Edition. I am aware that it uses a variant of the SYSLOG
> format, unfortunately I have been unable to locate the exact
> specifications of this particular variant. The nearest I have found on the
> website was this log example:
> 
> Jul 18 20:51:03 clu1 clufence[30780]: <info> STONITH: rps10 at /dev/ttyS0,\
> 	  port 1 controls clu2
> Jul 18 20:51:17 clu1 clufence[30780]: Port 0 being turned on.
> Jul 18 20:51:17 clu1 clufence[30780]: <notice> STONITH: clu2 is no longer
> fenced off.
>      [1]         [2]      [3]               [4]         [5]
> 
> Each entry in the log file contains the following information:
> •	[1] Date and time
> •	[2] Hostname
> •	[3] Cluster resource or daemon
> •	[4] Severity
> •	[5] Message

That's a log message from ClusterSuite. If you're not specifically 
examining ClusterSuite log files, you shouldn't worry about that page.

> 
> This, however, is not an explicit specification and also shows signs of
> inconsistency, with the severity tag missing (when Port 0 is turned on),
> and the date seeming somewhat incomplete.  I believe the severity tag is
> configurable through syslog.conf?

The field you've listed as the 'severity' tag, in fact, isn't. This is 
the internal ClusterSuite log level - it has nothing to do with syslog.

> 
> If anybody can direct me to an explicit technical specification for Red
> Hat Linux Enterprise’s syslog format, it would be appreciated.

It's not Red Hat specific. It's a standard system logger daemon, that 
logs in the 'normal' format. Observe:

Red Hat Enterprise Linux 4.3
----------------------------
[root at schnell ~]# uname -a
Linux schnell.gsslab.lhr.redhat.com 2.6.9-34.EL #1 Fri Feb 24 16:44:51 
EST 2006 i686 i686 i386 GNU/Linux
[root at schnell ~]# cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 3)
[root at schnell ~]# rpm -q sysklogd
sysklogd-1.4.1-26_EL
[root at schnell ~]# logger -p local7.info -t myapp -i "This is a test message"
[root at schnell ~]# tail -n1 /var/log/messages
May 11 11:46:24 schnell myapp[3494]: This is a test message

Debian Sarge
------------
tardis:~# uname -a
Linux tardis 2.6.12.6-xen0-dead.li-20060326 #2 SMP Sun Mar 26 15:10:46 
BST 2006 i686 GNU/Linux
tardis:~# cat /etc/debian_version
3.1
tardis:~# dpkg -p sysklogd|grep Version
Version: 1.4.1-17
tardis:~# logger -p local7.info -t myapp -i "This is a test message"
tardis:~# tail -n1 /var/log/messages
May 11 11:40:47 localhost myapp[26894]: This is a test message

As you can see - the output is the same. Lets break down the line:

May 11 11:46:24 schnell myapp[3494]: This is a test message
[DATE] [ TIME ] [HOST ] [TAG][ PID]: [MESSAGE]

PID is optional - not everything includes it. TAG is generally the 
application name, but this can be set to anything you like.

Comparing this to the line you posted:

Jul 18 20:51:17 clu1 clufence[30780]: Port 0 being turned on.
[DATE] [ TIME ] [HN] [  TAG ][ PID ]: [MESSAGE]

Hope this helps,

/j
-- 
Jon Fautley RHCE, RHCX <jfautley at redhat.com>   direct: +44 1483 739615
  Technical Account Manager                     office: +44 1483 300169
  Red Hat UK                                    mobile: +44 7841 558683
  10 Alan Turing Road, Surrey Research Park, Guildford, Surrey, GU2 7YF

More information about the Sussex mailing list