1

Is there a list of /var/log/messages event level keywords stored in a system file somewhere in CentOS 7 that would show all the possible "strings" to search for when grep'ing through /var/log/messages, or dmesg, etc?

I want to use a script for searching the most common or ALL possible events like err, error, failed, warning, kernel, etc.

Also, are the possible events different for logfiles messages, dmesg, cron, etc, or are the event keyswords all alike through the different log files?

Improve this question

2 Answers 2

Reset to default
2

The log priority is not stored in /var/log/messages at all.

Like its predecessors, rsyslog uses the priority as a hint to determine where to route any given log message. By default, it does not log the priority itself.

However, the systemd journal does log the priority (and keeps a lot of other interesting metadata). You can use the -p option to journalctl to narrow down log messages by priority.

 -p, --priority= Filter output by message priorities or priority ranges. Takes either a single numeric or textual log level (i.e. between 0/"emerg" and 7/"debug"), or a range of numeric/text log levels in the form FROM..TO. The log levels are the usual syslog log levels as documented in syslog(3), i.e. "emerg" (0), "alert" (1), "crit" (2), "err" (3), "warning" (4), "notice" (5), "info" (6), "debug" (7). If a single log level is specified, all messages with this log level or a lower (hence more important) log level are shown. If a range is specified, all messages within the range are shown, including both the start and the end value of the range. This will add "PRIORITY=" matches for the specified priorities.

See the journalctl man page for all of the ways in which you can search the journal.

Improve this answer
1
  • On a systemd box, this is the correct approach. Trying to analyze logs by parsing /var/log/messages et al can only lead to pain. Commented Jul 14, 2016 at 11:00
0

Parsing log-files on linux systems is generally not trivial as the slogan "syslog-compatible" is often mis-used (https://en.wikipedia.org/wiki/Syslog) and existing standardization attempts (https://www.rfc-editor.org/rfc/rfc3164, https://www.rfc-editor.org/rfc/rfc5424) are often ignored.

There are existing log parsers, that might help you with the task. logstash for example.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.