2008-04-19

What’s the difference between /var/log/messages and /var/log/syslog?

This is very embarrassing, but to this day I’ve never payed attention to the semantics of these two files. When I wanted to look at something, I’d just grep /var/log/*.

Turns out the log files are just a convention spelled out in /etc/syslog.conf (read syslog(3) and syslog.conf(5) if you don’t know syslog). These are the relevant lines in Debian defaults:

*.*;auth,authpriv.none      -/var/log/syslog

*.=info;*.=notice;*.=warn;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none      -/var/log/messages

The first line means: send all classes of messages (“facilities”) to /var/log/syslog, except the auth and authpriv facilities — these are sent to /var/log/auth.log instead (“auth” is just the deprecated name of “authpriv”).

The second line means: send all messages exactly at the levels of “info”, “notice”, and “warn” to /var/log/messages, except those from the listed facilities.

So /var/log/messages/var/log/syslog; and, further, messages only contains generic non-critical messages. I have no idea why people use that, but there you go. If you want a complete log, you should look at /var/log/syslog and /var/log/auth.log.

|comments| = 0

No comments

No comments yet.

Leave a comment