How to view '/var/log/syslog' contents without crash

For various reasons it is necessary for me to check the log of my computer in /var/log/syslog, but this has become a bit of a problem because I am not actually able to view the logs in that file because every time that I open it (no matter which program I use) it crashes. For instance if I open it in nano, gedit, cat, or even the main log viewing program, I get a crash such as this one because there is just too much data in the file to load:

Main log veiwer GUI crashed

So really my question is, how can I view syslog without the viewer crashing? Am I doing something wrong? Or is there just a better way that everyone use and I am not aware of?


OS Information:

Description:    Ubuntu 15.04
Release:    15.04

Solution 1:

TL;DR :

The problem was due to the file var/log/syslog being very large in size with kernel especially ufw dumping a lot of UFW_AUDIT logs regularly. To solve the problem we need to set the LOGLEVEL of ufw as low in the ufw configuration file /etc/ufw/ufw.conf:

sudo sed -i '/^LOGLEVEL/s/=.*/=low/' /etc/ufw/ufw.conf

From man ufw:

Loglevels above medium generate a lot of logging output, and may 
quickly fill up your disk. Loglevel medium may generate a lot of 
logging output on a busy system.

DETAILS :

There might be many reasons why the error

Stream has outstanding operation

is shown. The most common two being the file is too large in size to be read and file has unusual contents that could not be read.

At first we have considered the first cause i.e. file is too big (i will show the steps one by one as we have done it):

  • At first we need to check how many lines are there in /var/log/syslog and it turned out to be quite unusual:

    $ wc -l /var/log/syslog
    1308061 /var/log/syslog
    
  • As the file has 1308061 number of lines which is quite big, we need to check how the logrorate is configured for rsyslog by:

    sed -n '/\/var\/log\/syslog/,/^}$/p' /etc/logrotate.d/rsyslog
    

This have shown that /var/log/syslog will rotate every day with logs older than one week being deleted, which is the default.

  • Next we need to check /var/log/syslog to see which process is writing most logs to the file using the command:

    less /var/log/syslog | tr -s ' ' | cut -d' ' -f5 | sort | uniq -c | sort -rn
    

This will show us the processes written most lines in the file in a descending order. We found that kernel has written to file the highest with the count being very high (1761519). The next is thermald with its several processes wrote about 5K times.

  • Considering 1kernel1 as the source of this anomaly, we have checked for a pattern in the /var/log/syslog that is occurring regularly by:

    grep "kernel" /var/log/syslog | less 
    

and found one that was about UFW AUDIT and it was very very regularly writing in the log file.

  • ufw will dump these messages if the LOGLEVEL is set as medium and more. To find the current value:

    $ grep -i "^loglevel" /etc/ufw/ufw.conf
    LOGLEVEL=full
    

Thats the source of the problem, to get rid of these regular messages it needs to be LOGLEVEL=low, it should be sufficient in most cases. From man ufw:

low    logs all blocked packets not matching the default policy 
(with rate  limiting), as well as  packets  matching  logged rules.

Check the LOGGING section of man ufw to get more idea on ufw logging.

Solution 2:

Try less /var/log/syslog

Press shift-f to go to the end of file and monitor changes like tail -f /var/log/syslog

You should see your log file.

There must be some garbage on them or maybe size issues that are preventing the Syslog app to view them. So, rename it and try to open the Syslog app again. You should be able to see your new log file.