How to view '/var/log/syslog' contents without crash
For various reasons it is necessary for me to check the log of my computer in /var/log/syslog
, but this has become a bit of a problem because I am not actually able to view the logs in that file because every time that I open it (no matter which program I use) it crashes. For instance if I open it in nano
, gedit
, cat
, or even the main log viewing program, I get a crash such as this one because there is just too much data in the file to load:
So really my question is, how can I view syslog
without the viewer crashing? Am I doing something wrong? Or is there just a better way that everyone use and I am not aware of?
OS Information:
Description: Ubuntu 15.04
Release: 15.04
Solution 1:
TL;DR :
The problem was due to the file var/log/syslog
being very large in size with kernel
especially ufw
dumping a lot of UFW_AUDIT
logs regularly. To solve the problem we need to set the LOGLEVEL
of ufw
as low
in the ufw
configuration file /etc/ufw/ufw.conf
:
sudo sed -i '/^LOGLEVEL/s/=.*/=low/' /etc/ufw/ufw.conf
From man ufw
:
Loglevels above medium generate a lot of logging output, and may
quickly fill up your disk. Loglevel medium may generate a lot of
logging output on a busy system.
DETAILS :
There might be many reasons why the error
Stream has outstanding operation
is shown. The most common two being the file is too large in size to be read and file has unusual contents that could not be read.
At first we have considered the first cause i.e. file is too big (i will show the steps one by one as we have done it):
-
At first we need to check how many lines are there in
/var/log/syslog
and it turned out to be quite unusual:$ wc -l /var/log/syslog 1308061 /var/log/syslog
-
As the file has 1308061 number of lines which is quite big, we need to check how the
logrorate
is configured forrsyslog
by:sed -n '/\/var\/log\/syslog/,/^}$/p' /etc/logrotate.d/rsyslog
This have shown that /var/log/syslog
will rotate every day with logs older than one week being deleted, which is the default.
-
Next we need to check
/var/log/syslog
to see which process is writing most logs to the file using the command:less /var/log/syslog | tr -s ' ' | cut -d' ' -f5 | sort | uniq -c | sort -rn
This will show us the processes written most lines in the file in a descending order. We found that kernel
has written to file the highest with the count being very high (1761519). The next is thermald
with its several processes wrote about 5K times.
-
Considering 1kernel1 as the source of this anomaly, we have checked for a pattern in the
/var/log/syslog
that is occurring regularly by:grep "kernel" /var/log/syslog | less
and found one that was about UFW AUDIT
and it was very very regularly writing in the log file.
-
ufw
will dump these messages if theLOGLEVEL
is set asmedium
and more. To find the current value:$ grep -i "^loglevel" /etc/ufw/ufw.conf LOGLEVEL=full
Thats the source of the problem, to get rid of these regular messages it needs to be LOGLEVEL=low
, it should be sufficient in most cases. From man ufw
:
low logs all blocked packets not matching the default policy
(with rate limiting), as well as packets matching logged rules.
Check the LOGGING
section of man ufw
to get more idea on ufw
logging.
Solution 2:
Try less /var/log/syslog
Press shift-f to go to the end of file and monitor changes like tail -f /var/log/syslog
You should see your log file.
There must be some garbage on them or maybe size issues that are preventing the Syslog app to view them. So, rename it and try to open the Syslog app again. You should be able to see your new log file.