This post is for the persons that wish to start understanding the log structure or need to spend lots of time checking logs or trying to analyse what happen in a Linux system.
For them it is vital importance to know what logs exist and what information they can give us.
Most of the logs in Linux environments exist inside the /var/log folders.
This is a list with brief description of what we can find and why they are useful…
While your system is running smoothly try to check the logs and try to understand the existing data and how it might be useful for you.
This will be of valuable importance if something wrong happens and might help you a lot in a crisis.
- /var/log/messages – Contains global system messages. Including startup messages. This logs include information from several things like: mail, cron, deamon, kern, auth etc.
- /var/log/dmesg – /var/log/dmesg – Contains kernel ring buffer information. When the system boots up, it prints number of messages on the screen that displays information about the hardware devices that the kernel detects during boot process. These messages are available in kernel ring buffer and when the new message comes the old message gets overwritten. You can also view his contents of this file using the dmesg command.
- /var/log/auth.log – Contains system authorisation information, including user logins and authentication mechanism that was used.
- /var/log/boot.log – Contains information that is logged when the system boots
- /var/log/daemon.log – Contains information logged by the various background daemons that are running on the system.
- /var/log/dpkg.log – Contains information that is logged when a package is installed or removed using package manager command. (Debian Based systems)
- /var/log/kern.log – Contains information logged by the kernel. Helpful for you to troubleshoot a custom-built kernel.
- /var/log/lastlog – Displays the recent login information for all the users. This is not an ascii file. You should use lastlog command to view the content of this file.
- /var/log/maillog || /var/log/mail.log – Contains the log information from the mail server that is running on the system. (Sendmail logs information about all the forward items to this file).
- /var/log/user.log – Contains information about all user level logs.
- /var/log/Xorg.x.log – Log messages from the X
- /var/log/alternatives.log – Information by the update-alternatives is logged into this log file. On Ubuntu, update-alternatives maintains symbolic links determining default commands.
- /var/log/btmp – This file has information about failed login attempt. Use the last command to view the btmp file. For example, “last -f /var/log/btmp | more”
- /var/log/cups – All printer and printing related log messages
- /var/log/anaconda.log – When you install Linux, all installation related messages are stored in this log file
- /var/log/yum.log – Contains information that is logged when a package is installed using yum. (Red Hat based systems)
- /var/log/cron – Whenever cron daemon (or anacreon) starts a cron job, it logs the information about the cron job in this file.
- /var/log/secure – Contains information related to authentication and authorization privileges. For example, sshd logs all the messages here, including unsuccessful login.
- /var/log/wtmp or /var/log/utmp – Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
- /var/log/faillog – Contains user failed login attempt. Use faillog command to display the content of this file.
What goes inside to some of this files is controlled by rsyslog based on what is defined in the configuration file: /etc/rsyslog.conf
Try to edit it and you will see the files that where configured with all the specifications.
You can also use this tool to send the logs to any remote location.
*.info indicates that all logs with type INFO are logged.
mail.none,authpriv.none,cron.none indicates that those error messages are not logged into the /var/log/messages file.
You can also specify *.none, which indicates that none of the log messages is logged.
Other logs can be found in this folder depending on the applications that are running there.
This is a small example of the most used ones based on my experience.
- /var/log/httpd/ || /var/log/apache2 – Contains the apache web server access_log and error_log
- /var/log/lighttpd/ – Contains light HTTPD access_log and error_log
- /var/log/mail/ – This subdirectory has more logs from your mail server. For example, sendmail stores the collected mail statistics in /var/log/mail/statistics file
- /var/log/audit/ – Contains logs information stored by the Linux audit daemon (auditd).
- /var/log/setroubleshoot/ – SELinux uses setroubleshootd (SE Trouble Shoot Daemon) to notify about issues in the security context of files, and logs those information in this log file.
- /var/log/samba/ – Contains log information stored by samba, which is used to connect Windows to Linux.
- /var/log/sa/ – Contains the daily sar files that are collected by the sysstat package.
- /var/log/sssd/ – Use by system security services daemon that manage access to remote directories and authentication mechanisms.