Web Site Hosting
Our Network
Technical Support
Web Site Design
Miscellaneous



 

Your VPS2 has four main types of log files

  • E-mail, located at /var/log/maillog
  • FTP, located at /var/log/messages
  • Web, located at /usr/local/apache/logs
  • System logs, located at /var/log/

Each log file contains helpful diagnostic information, and while logs are quite useful, they can also cause problems if they are not regularly maintained.

E-mail Log Files

Each time a message passes through the SMTP servers, Sendmail logs the transaction to /var/log/maillog. (POP and IMAP account accesses also log to this file.) By default, /var/log/maillog is rotated daily, with eight days' worth of backups kept. (The sendmail.st (sendmail statistics file) is rotated weekly and is configured in /etc/syslog.conf.)

Viewing the /var/log/maillog File

Maillog is useful when you are troubleshooting e-mail problems.

    1. Type:
      % tail -f /var/log/maillog
    2. The tail command prints the last ten lines of the named file. Use the -f option to "follow" the file as it grows. Exit tail by pressing ctrl-c.

Note: Before resetting the log, you can prepare archival copies with tar or zip and then transfer them using FTP from your server to your local computer.

maillog data look similar to the following two-part message sample from a default Sendmail configuration of level 9.

Part 1

Mar 19 18:10:19 envy sm-mta[4247]: h2JIAImx004247: from=<bob@your_company.com>, size=978, class=0, nrcpts=1, msgid=<20030319113738.W87363-100000@your_company.com>, proto=ESMTP, daemon=MTA, relay=other_company.com [199.104.125.167]

The sender of the above message is bob@your_company.com. Its queue identifier is h2JIAImx004247. The message body has 978 bytes. It was sent first-class priority (class=0). It had a single recipient. Its message ID is 20030319113738.W87363-100000@your_company.com. It uses the ESMTP protocol. The mail transfer agent daemon received the message. The host that sent the message was other_company.com, whose IP address is 199.104.125.167.

Part 2

Mar 19 18:10:25 envy sm-mta[4283]: h2JIAImx004247: to=<bob@your_company.com>, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=30899, relay=personalmailserver.com. [128.121.230.54], dsn=2.0.0, stat=Sent (h2JIAKFq089777 Message accepted for delivery)

The message is addressed to bob@your_company.com. Delivery required 6 seconds. The transaction delay (for this address only) was also 6 seconds. (That makes sense, since this message was sent to only one recipient--see nrcpts in first log entry.)

Since this message is being relayed--because of a virtusertable entry--to another address, on another server), it will be "delivered" by the ESMTP mailer. The priority for this delivery attempt is 30899.The outgoing server that this mail is being relayed to is personalmailserver.com, whose IP address is 128.121.230.54. The delivery status (DSN=delivery status notification) of 2.0.0 means that delivery was successful.

DSN (delivery status notification) of:

2.x.x indicates successful delivery
4.x.x indicates that a temporary error occurred. (The mail will be queued and delivery will be retried later.)
5.x.x indicates a permanent error. The mail will be bounced or rejected.

The mail was sent successfully (stat=Sent). The parenthetical expression after the "Sent" is the message that the receiving server replied with.

The following table explains a maillog entry in more detail.

Access Log Part

Sample Entry

Description

Time stamp

Mar 19 18:10:19

Log entry recorded to the second.

Host

envy

First part of domain name; indicates the host server.

Process owner/Process ID

sm-mta[4247]:

The part outside of brackets indicates the owner of the process (Sendmail, the mail transfer agent). The number in brackets is the process ID used to execute the task.

Message ID

h2JIAImx004247

ID assigned to each message sent through sendmail

Delivery agent

from <weldon@whipple.org>

The recipient or sender of the message

Size (in bytes)

size=978

The size of the message (in bytes) sent during the data phase (does not include the headers).

Class

class=0 (ranges from 100 (special del) to -200 (bulk)

Class indicates the precedence (set by a numerical value) of a message. The higher the value, the higher priority a message has in the mail queue.

nrcpts

nrcpts=1

Number of recipients message will be delivered to (includes cc and bcc recipients)

msgid

msgid=<20030319113738.W87363100000@gabriel.whipple.orem.ut.us>

Identification number assigned to message.

daemon

daemon=MTA (mail transfer agent)

Sender’s server daemon used to deliver message.

proto

proto=SMTP

The protocol (SMTP or ESMTP or internal) used to send the message.

relay

relay=domain.com [xx.xx.xx.xx]

The server that sent or accepted the message. Its IP is in square brackets.

stat

stat=Sent

Indicates the status of the delivery, typically logged as “Sent” or “Queued”.

Resetting the /var/log/maillog File

To reset /var/log/maillog, type:

% cat /dev/null > /var/log/maillog

This action clears the file.

FTP Log Files

FTP transactions and accesses are logged to the /var/log/messages file. By default, the messages file is rotated periodically. Each entry, one per line, contains the following:

  • A time stamp (recording the date and time of the log entry)
  • The name of the originating program
  • The text of the log entry
Viewing the /var/log/messages File

To view the messages file:

    1. Type.
      % tail -f /var/log/messages
    2. The tail command prints the last ten lines of the named file. Use the -f option to "follow" the file as it grows. Exit tail by pressing ctrl-c.
Resetting the /var/log/messages File

Before resetting (clearing) the log, prepare archival copies, if necessary. You can do this, for example, by archiving your files with tar or zip and then copying them using FTP from your server to your local computer. To reset /var/log/messages, type:

% cat /dev/null > /var/log/messages

This action clears the file.

Web Logs

Your VPS2 Web service logs all traffic at your Web site to log files located in the /usr/local/apache/logs directory. Your VPS2 is configured to use the Combined Log Format, comprised of two log files: 

  • access_log
  • error_log

The default directive definitions in /www/conf/httpd.conf should be adequate for most circumstances. However, if you want to modify these directives, see “Advanced Web Server Configuration”

Viewing the access_log File

The access log contains TransferLog, AgentLog, and ReferrerLog data, If your log file is not empty, the tail command displays an echo of the latest entries in the access log file. Each entry line represents a resource request.

    1. Go to /usr/local/apache/logs/access_log.
    2. Use the tail command to print the last ten lines of the named file. Use the -f option to follow the file as it grows.
      % tail -f access_log
Each entry in the access log is comprised of six specific parts. Consider the following example:
some.remote.host - user - [19/Aug/1998:13:48:56 –0600] "GET /index.html HTTP/1.0" 200 4817 "http://www.yahoo.com" "Mozilla/4.75 [en] (Windows NT 5.0; U)"
This entry suggests that on the 19th of August 1998 at 1:48:56 in the afternoon Mountain Standard Time (or some other –0600 time zone), a remote host "some.remote.host" requested the URL "index.html" using an HTTP/1.0-compliant browser. The server found the resource requested (status code 200) and returned it to the client. The document was 4817 bytes in length. The request came from a link on Yahoo's home page (the referring site), and the user was using Netscape Navigator v4.75 ("Mozilla" is how Netscape identifies itself to Web servers).

The following table explains this example in more detail.

Access Log Part

Sample Entry

Description

host name

some.IP.address

Represents the IP address of the remote host that requested the resource.

user ID

user

The User ID that was required in order to access the requested resource. If the resource that was requested requires no user authentication, then this data field will be left blank.

time stamp

[19/Aug/1998:13:48:56 –0600]

[Enclosed by square brackets] the log entry is precise to the second.

resource request

"GET /index.html HTTP/1.0"

The resource request itself is comprised of three data fields: 1) the method of the request (GET, POST, etc.). 2) the local URL of the resource requested. 3) the HTTP version used by the client (which in most cases is HTTP/1.0).

Numeric status code that represents the server's response to the request

200

The HTTP Status Codes range in value from 200 to 599. Values from 200-299 indicate successful responses. Values that range from 300-399 indicate redirection, i.e. the resource at the requested URL as moved to another location. Any status code with a value of 400 or above indicates the request encountered an error.

size

4817

Exact size (in bytes) of the requested resource

referrer

"http://www.yahoo.com"

A record of the document from which a resource was requested (e.g. if users came to your site from Yahoo’s Web site, that information would be recorded here).

agent

"Mozilla/4.75 [en] (Windows NT 5.0; U)"

The agent log is simply a list of the browsers (or spiders) that are accessing your Web site. Each time a request is received by your Web server, the type of browser that made the request is recorded.
    1. Exit the access_log file by pressing ctrl-c.

Testing the access_log File
Use a browser to access the main index page of your VPS2. As you access the page using a browser, new log entries append to the log file. The entries appear as follows:
some.IP.address - user - [access date and time] "request" status bytes_sent file_sent referrer agent
Viewing the error_log File

The error log contains any errors that users experienced when they tried to download pages from your Web site. Download the error log file from time to time and take a look at what it contains. It may help you discover broken links on your site or external links on someone else's site.

    1. Go to /usr/local/apache/logs/error_log.
    2. Use the tail command to print the last ten lines of the named file. The -f option allows you to follow the file as it grows.
      % tail -f error_log
    3. Exit by pressing ctrl-c.

You can control the detail level of the error log file by using the LogLevel directive in the /www/conf/httpd.conf file.

Testing the error_log File

Open a browser and go to: http://www.your_company.com/bogus-filename.html

Assuming that the file bogus-filename.html doesn't exist, a new entry will be added to your error log file that looks like this:

[date and time] access to /usr/local/etc/httpd/htdocs/bogus-filename.html failed for some.remote.host, reason: File does not exist

Resetting access_log and error_log

Your VPS2 is configured to rotate these log files weekly. Check the /etc/syslog.conf file to see the schedule.

If you want to use another tool to manually clear the log files, you may install Savelogs.

Rotatelogs is a wrapper that you include in the Log definition in the /usr/local/apache/conf/httpd.conf.


System Logs

The VPS2 environment has additional complexity when dealing with system logs. A system log is any file created on the computer to provide more information about a process. What you log and what you disable is your decision.

This section covers the more common logs and the data that are kept in the file. The majority of services also offer the ability to configure your own logs and content of each file. The common location for these logs is the /var/log directory.

The main configuration file is the /etc/syslog.conf. You can read additional information about logs setup with the process syslog in the FreeBSD Handbook. This is the default file.

If you make any changes to this file, you need to send an HUP to the process, to reread the configuration file, by killing the syslog daemon. To do this, type

# kill -HUP pid

syslog.conf looks like this:

# $FreeBSD: src/etc/syslog.conf,v 1.13.2.3 2002/04/15 00:44:13 dougb Exp $
#
# Spaces ARE valid field separators in this file. However, other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) man page.
*.notice;lpr.info;mail.crit;news.err /var/log/messages
security.*                 /var/log/security
auth.info;authpriv.info    /var/log/auth.log
mail.info /var/log/mailloglpr.info  /var/log/lpd-errs
cron.*              /var/log/cron     
*.emerg                                         *
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*                                            /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*                                            @loghost
# uncomment these if you're running inn
# news.crit           /var/log/news/news.crit
# news.err            /var/log/news/news.err
# news.notice         /var/log/news/news.notice

You can enable a log file that will write every message that the system is receiving, but this is not recommended unless you are closely monitoring your disk space. You can also enable remote logging but this can potentially cause a significant load on the machine.

The following are priority levels within syslog.conf.

  • LOG_EMERG - A panic condition.  This is normally broadcast to all users.
  • LOG_ALERT - A condition that should be corrected immediately, such as a corrupted system database.
  • LOG_CRIT - Critical conditions, e.g., system errors.
  • LOG_ERR - Errors.
  • LOG_WARNING - Warning messages.
  • LOG_NOTICE - Conditions that are not error conditions, but should possibly be handled specially.
  • LOG_INFO - Informational messages.
  • LOG_DEBUG - Messages that contain information of normal use on when debugging a program.

syslog.conf: generates the following files in the /var/log directory. Check syslog.conf for exact information that each contains. Emergency messages are printed to the screen for the accounts such as the machine rebooting.

File

Description

messages

Contains ftp logins and critical mail problems

auth.log

Tracks all uses of the authentication system: login, getty, su

lpd-errs

Contains line printer options

maillog

Contains all information messages that are sent by the mail programs

cron

Contains all cron messages

console log

Displays the output to the console as the system boots

lastlog

Log file in binary format for the “last” command

adduser

Tracks the addition of users to the system

userlog

Tracks the changes to the users on the system

xferlog

Tracks transfers through the ftp server

syslog is a powerful feature that automatically rotates the logs to ensure that your disk quota is not negatively affected. However, unforeseen problems can drastically affect the size of these logs. See the syslog man page for more information.

Analyzing Log Files

The amount of actual data logged in your Web server log files is intimidating even on relatively low traffic sites. To make any sense of the data, you might want to use a log file analysis program to process, analyze, and generate reports for you. Fortunately, there are numerous programs available that analyze Web server log files and create HTML, text, or e-mail reports of your Web server traffic.

Some log analysis programs require a specific log format (i.e. combined or common). Make sure the log format configured on your VPS2 is appropriate for the log analysis program you select. (The default configuration is the combined log format.)

Urchin and Analog are just two of the available tools you can use. Some software packages are more difficult to use since they must be run from the command prompt, but they are simple to install and free of charge. For more details about log analysis software packages, see VPS Hosting's Web site.

Rotating and Clearing Log Files

The following programs rotate logs on your VPS2.

syslog (on your <product_name by default) is a powerful feature that automatically rotates the logs to ensure that your disk quota is not negatively affected. The main configuration file is /etc/syslog.conf.  Syslog generates the log files found in /var/log. The other configuration file, /etc/syslog.conf controls what gets rotated and when. The default configuration rotates /var/log/maillog and /var/log/messages, but not Apache logs.

rotatelogs (/usr/local/apache/bin/rotatelogs) is a wrapper you can use in the log definitions. Add the following two lines in the Web server configuration file, /www/conf/httpd.conf to rotate Web log files:

TransferLog “|/usr/local/apache/bin/rotatelogs /path/to logs/access_log 86400”
CustomLog “|/usr/local/apache/bin/rotatelogs /path/to logs/error_log 86400”

where path/to/logs is the path to access and error logs on your VPS2. The last argument (86400) is how often (in seconds) you want to rotate the log file.

savelogs is an archival program you can vinstall and use to move (rename) the log file, filter data from the log file, store the log file in an archive (using tar or gtar), and compress the archive (using gzip or compress). After successful compression, the original log file is deleted.

Using the cron Scheduler

The cron daemon is a system scheduler on your VPS2 that runs events daily, weekly, monthly, hourly, or whenever. Any command or set of commands you can run from a command prompt, can also be run from cron. For detailed information on cron , read the cron man page

Any user with shell access can create a cronjob. The user who creates the cronjob is the only user (except for root) who can edit it.

The most effective way to use cron is to load the scheduled tasks into the cron daemon from a file that you have created and stored on the VPS2. Although it is possible to manipulate cron directly, loading cron jobs from pre-formatted files will ensure that you have a copy of the file around for editing and for archival purposes. A common place to put such a cron file is in a directory called cronfiles in the /etc.

To create a cronjob, you must first create a file (or files) on the server to hold the cronjobs. Name it whatever you want (cronfiles), and place it anywhere on the server you have access to.

The following example uses “cronjob”.

    1. Go to the directory you want to create the cron file in.
    2. Create the cronjobfile. After you have created the file, and placed a cronjob in it, the file must be registered with the cron daemon.
    3. To register the file, type: 
      # crontab /cronjobs 
      Replace /cronjobs with the name and the path of the file you created.
    4. Type
      # crontab –l.
      to see what cronjobs the user has registered with cron.
      The first portion of the Cronjob tells the server when to perform the task.
      0 0 * * * /bin/ps -x | /usr/bin/grep aftpd | /usr/bin/awk '{fs=" "}{print |" "}‘ | /usr/bin/xargs kill -9
    • The first “0” specifies minutes.
    • The second “0” specifies hours.
    • The third “*” specifies days.
    • The fourth “*” specifies months.
    • The fifth “*” specifies week

Creating and Using the cronfiles Directory

You need a directory to store your cron information.

    1. Type:
      % cd /etc
      % mkdir cronfiles
    2. After you have made the cron file, load it into the cron daemon.
      % cd /etc/cronfiles
    3. If you have placed a cron file in the directory named my_cron_file, load the file into the cron program by typing:
      % crontab my_cron_file
    4. A copy of the cron file you created is in memory in the cron program. To view cron 's copy in memory, you can call the cron program with the -l (list) option:
      % crontab -l
    5. cron has other command line options such as "edit" and "remove". Use them to manipulate the information that cron has in memory. For example, to add another event to the cron information, use the crontab -e option:
      % crontab -e
      This option takes the copy of the entry that is stored in the cron programs memory, and allows you to edit it. This is, however, a less preferable option than changing the physical file and re-loading it into cron, because the changes are not physically stored anywhere accept in cron 's memory.
    6. To remove the cron entry you just loaded, type:
      % crontab -r
      Note: If you created a cron entry with crontab -e and you run crontab -r, you will lose your cron entry forever. This is a good reason to keep a physical copy of your cron file and load it into memory.

Cron Files and Commands

In a cron file, blank lines are ignored. Lines beginning with a pound sign (#) are comments. There are two types of cron entries: environment variables and cron commands.

Environment Variables

Environment variables have the form:

name = value

The spaces around the equal sign are optional and any spaces in the "value" will be included in the value being set. The value string may be placed in quotes (either single or double) to preserve leading or trailing spaces.

One environment variable that can be set is the MAILTO variable. If MAILTO is defined, any mail that is sent by cron, such as error notifications, is sent to the address assigned to the variable. If this value is not explicitly defined, error mail messages will be sent to the VPS2's Administrative User. For example, if your VPS2's administrative user login name were "joe", administrative e-mail from the cron daemon would be sent to joe@your_company.com. An example MAILTO entry might look like:

MAILTO=johndoe@your_company.com

If MAILTO is defined as follows, no mail will be sent from cron :

MAILTO=""

cron Commands

Each command entry in a cron file is composed of a series of fields that cron uses to determine what event to run at a specific time and date. The first five fields (space delimited) specify time and date information as follows:

CRON Time and Date Fields

Field

Meaning

Range

Minute

Minutes after the hour

0-59

Hour

Hour of the day

0-23 (0=midnight)

Day of Month

Numeric day of the month

1-31

Month

Month of the year

1-12

Day of Week

Day of the week

0-6 (0=Sunday)

The following command runs at midnight every day, every month, and every week.

0 0 * * * /bin/ps -x | /usr/bin/grep aftpd | /usr/bin/awk '{fs=" "}{print |" "}‘ | /usr/bin/xargs kill -9
  • The “*” represents a wildcard that tells cron to run all the time.
  • The “0” tells cron to run the first minute of the hour.
  • The second “0” tells cron to run at midnight.
  • The three “*” tells cron to run every Day, Month, and Week.

An asterisk may be used as a wildcard meaning "first through last". The asterisk is used when you want an event to occur for every allowable value. For example, if you wanted to schedule your log files to be purged on a monthly basis you could place an asterisk in the Day of Month field. As you might imagine, it would be unwise to put an asterisk in the Minute field of the cron file as it may cause too much of a load on your VPS2.

Ranges such as two numbers separated with a hyphen ("-") are allowed. For example, if you wanted the cron to send you e-mail to warn you that your taxes are due April 15th, and you want to be warned starting in January until they are due in April, you could create a cron file with the value 1-4 in the month field, and the cron would run starting in January until April. You can specify a list of values by separating the numbers with a comma. For example, 1,7,9,10 would be the months January, July, September, and October. Skip values can be specified with the / sign. For example, 1-12/2 would be every other month. Names can also be used for the month and day of the week fields. The first three letters of the month or day can be used. This option is not allowable with ranges or lists.

Here are some additional examples of valid time/date values:

Example:

What it does (examples are in the hour field)

8-12

Event will execute each hour in the range 8,9,10,11,12

1,4,5,7

Event will execute each hour specified 1,4,5,7

0-4,8-12

Event will execute each in the two ranges

0-23/2

Event will execute every other hour 2,4,6,8....

*/2

Same as above

The sixth field in a cron file (i.e., rest of the cron line) is where you place the command you want to run. The entire command portion, up to the new line character or the % character will be executed by /bin/sh (or the shell you have specified with the SHELL environmental variable). Percent signs in the command, unless they are escaped with a backslash (\) will be changed into new line characters and all data after the first % will be sent to the command as standard input.

The following is an example of using cron for mailing a notice about taxes:

# This is a comment.
SHELL=/bin/csh
MAILTO=johndoe@your_company.com
5 22 14 1-4 * mail -s "Your taxes are due on April 15th"
joe@your_company.com%Joe,%%Fill out your taxes!%

Note: Do not place hard returns in cron commands, because the line wraps on its own. Hard returns tell cron that the end of the cron command has occurred.

The following is an example of using cron to delete logs every month:

MAILTO=johndoe@your_company.com
1 3 * * * cat /dev/null > /var/log/messages

Notice the use of the command in the above example. The command is used to run scripts from the user's home directory.

cron jobs do not run in the VPS2's environment. They run in the physical server's environment, but they run under the VPS2's User ID (a special number that keeps track of users, what files they own, and what processes they own). For this reason, when you try and run scripts or programs from cron, you must include the full path to the script. This includes the path to your home directory. For example, if my SSH login were "joe", the path to my home directory would be /usr/home/joe/. This is the path from the physical server's root file structure.

The following is an example of using cron for sending a notice to occasionally mail information to Judy:

01 09 14,30 1,3,5,7,8,10,12 * cat /etc/ cron file/my_ cron _file | /usr/bin/mail -s "Message goes here" judy@abc_company.com

The following is an example of using cron for automating stats with getstats:

40 19 * * * /usr/local/bin/getstats -d -f | /usr/bin/mail -s "HTTP Daily stats" judy@your_company.com
 
 
Copyright 1996-2009 by VPS Hosting. - All Rights Reserved.

FrontPage and Microsoft are Registered Trademarks of Microsoft Corporation. All other Trademarks are the property of their respective owner(s).