Syslog Explained

Syslog is the traditional Unix logging standard. It defines how processes send log messages and how the syslog daemon routes them to files or remote servers. On Ubuntu, rsyslog is the syslog daemon that receives messages from the kernel, system services, and applications, and routes them to the appropriate files in /var/log/. Understanding syslog facilities and severity levels helps you configure what gets logged where, and how to filter logs effectively.

What is syslog?

Syslog architecture:
  Application uses syslog() syscall or logger command
      ↓
  /dev/log (Unix socket)
      ↓
  rsyslog daemon reads the socket
      ↓
  rsyslog applies rules from /etc/rsyslog.conf
      ↓
  Routes messages to:
    - /var/log/syslog (all messages)
    - /var/log/auth.log (auth messages)
    - Remote syslog server (if configured)

rsyslog on Ubuntu

# rsyslog is the standard syslog daemon on Ubuntu
sudo systemctl status rsyslog

# Where rsyslog writes logs (configured in /etc/rsyslog.conf):
cat /etc/rsyslog.conf | grep -E "^[^#].*log"

# Main config files:
# /etc/rsyslog.conf          — main configuration
# /etc/rsyslog.d/*.conf      — additional rules (modular config)

Facilities and severity levels

Facility	What it covers
kern	Kernel messages
auth, authpriv	Authentication (SSH, sudo, PAM)
cron	Scheduled job execution
daemon	General daemon messages
mail	Email system
local0-7	Customizable for applications

Severity	Level	Meaning
emerg	0	System is unusable
alert	1	Action must be taken immediately
crit	2	Critical conditions
err	3	Error conditions
warning	4	Warning conditions
notice	5	Normal but significant
info	6	Informational
debug	7	Debug-level messages

rsyslog configuration

# rsyslog rule syntax: FACILITY.SEVERITY  DESTINATION
# Period separator between facility and severity
# * = all facilities or all severities

cat /etc/rsyslog.d/50-default.conf

Default Ubuntu rsyslog rules (simplified)

auth,authpriv.*          /var/log/auth.log      ← Auth events to auth.log
*.*;auth,authpriv.none   /var/log/syslog        ← Everything except auth to syslog
kern.*                   /var/log/kern.log       ← Kernel messages
cron.*                   /var/log/cron.log       ← Cron jobs

# Add a custom rule (create a new file in rsyslog.d):
sudo nano /etc/rsyslog.d/99-myapp.conf

Custom rsyslog rule to capture local7 facility

# Route local7 facility (used by nginx for access logs) to a file
local7.*    /var/log/nginx-syslog.log

# Log everything from crit severity and above to a separate file
*.crit      /var/log/critical.log

sudo systemctl restart rsyslog

Forwarding logs to a remote server

# Forward all logs to a central syslog server
# Add to /etc/rsyslog.conf or /etc/rsyslog.d/99-remote.conf:

# UDP forwarding (lower overhead, no delivery guarantee):
*.* @syslog-server.corp:514

# TCP forwarding (reliable delivery, higher overhead):
*.* @@syslog-server.corp:514

# Forward only important messages:
*.crit @@syslog-server.corp:514
auth,authpriv.* @@syslog-server.corp:514

# Test the configuration
sudo rsyslogd -N1    # Verify config syntax
sudo systemctl restart rsyslog

# Send a test message
logger -t mytest "Test message from $(hostname)"
# Should appear in both local /var/log/syslog and remote server

Conclusion

rsyslog routes log messages based on facility.severity rules. The most important log files for daily administration are /var/log/auth.log (authentication) and /var/log/syslog (everything else). For production servers, configure forwarding to a remote syslog server — this both centralizes logs for easier searching and protects them from tampering if the server is compromised. Use the logger command to test your configuration: any message it sends should appear both locally and on the remote server.

FAQ

Why should administrators understand Syslog Explained?+

Because this topic affects planning decisions, server lifecycle, compatibility, support expectations, or how you reason about Ubuntu systems before making operational changes.

Do I need a lab for this topic?+

A lab is useful for checking commands and seeing the concept on a real Ubuntu machine, but the main value is understanding the decision, tradeoff, or system behavior clearly.

How should I use this knowledge in production?+

Use it to make better choices, document why those choices were made, and avoid rushed changes that ignore support windows, compatibility, stability, or operational risk.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support