Linux logs give you a visual history of everything that’s been happening in the heart of a Linux operating system. So, if anything goes wrong, they give a useful overview of events in order to help you, the administrator, seek out the culprits.
For problems relating to particular apps, the developer decides where best to put the log of events. So with Google Chrome for instance, any time it hangs, you want to look in ‘~/.chrome/Crash Reports’ to discover the gory details of what tripped the system up.
Linux log files should be easy to decipher since they’re stored in text form under the /var/log directory and subdirectory. They cover all kinds of things, like system, kernel, package managers, MySQL and more. But now, we’ll focus on system logs.
To access the system directory of a Linux or UNIX-style operating system you will need to tap in the cd command.
How can I check Linux logs?
You can look at Linux logs using the cd /var/log command. Type ls to bring up the logs in this directory. Syslog is one of the main ones that you want to be looking at because it keeps track of virtually everything, except auth-related messages.
You also use /var/log/syslog to scrutinise anything that’s under the syslog. But picking out one particular thing will take some time because it’s usually a pretty big file to wade through. Pressing Shift+G will take you all the way to the end, and you’ll know you’re there because you will see the word “END.”
You can also check logs using dmesg. This shows the kernel ring buffer and prints everything after sending you to the end of the file. You can then use the dmesg | less command to scroll through everything it has produced. If you’d like to see log entries relating to the user facility, use dmesg –facility=user.
Finally, as a super-handy command called tail, which lets you look over log files. It’s so useful because it just displays the last bit of the logs. Which is often where you’ll find the source of the difficulty. Use tail /var/log/syslog or tail -f /var/log/syslog. Tail keeps a close eye on the log file, and displays every written to it, which lets you check what’s being added to syslog in real time.
For a particular group of lines [say, the last five] type in tail -f -n 5 /var/log/syslog, and you’ll be able to see them. Use Ctrl+C to turn off the tail command.
Most Valuable Linux Logs Players
Most directories can be grouped under four headings:
- Application Logs
- Event Logs
- Service Logs
- System Logs
Checking each log is a really enormous task. So that’s why developers rely on log data checking tools like Retrace. Because they put APM and log management right at your fingertips. You have plenty of choice over what you want to monitor. But there’s little doubt that scrutinising the following should be considered essential.
What’s in these Linux Logs?
- /var/log/syslog or /var/log/messages:
Shows general messages and info regarding the system. Basically a data log of all activity throughout the global system. Know that everything that happens on Redhat-based systems, like CentOS or Rhel, will go in messages. Whereas for Ubuntu and other Debian systems, they go in Syslog.
- /var/log/auth.log or /var/log/secure:
Keep authentication logs for both successful or failed logins, and authentication processes. Storage depends on system type. For Debian/Ubuntu, look in /var/log/auth.log. For Redhat/CentrOS, go to /var/log/secure. - /var/log/boot.log: start-up messages and boot info.
- /var/log/maillog or var/log/mail.log: is for mail server logs, handy for postfix, smtpd, or email-related services info running on your server.
- /var/log/kern: keeps in Kernel logs and warning info. Also useful to fix problems with custom kernels.
- /var/log/dmesg: a repository for device driver messages. Use dmesg to see messages in this file.
- /var/log/faillog: records info on failed logins. Hence, handy for examining potential security breaches like login credential hacks and brute-force attacks.
- /var/log/cron: keeps a record of Crond-related messages [cron jobs]. Like when the cron daemon started a job.
- /var/log/daemon.log: keeps track of running background services but doesn’t represent them graphically.
- /var/log/btmp: keeps a note of all failed login attempts.
- /var/log/utmp: current login state by user.
- /var/log/wtmp: record of each login/logout.
- /var/log/lastlog: holds every user’s last login. A binary file you can read via lastlog command.
- /var/log/yum.log: holds data on any package installations that used the yum command. So you can check if all went well.
- /var/log/httpd/: a directory containing error_log and access_log files of the Apache httpd daemon. Every error that httpd comes across is kept in the error_log file. Think of memory problems and other system-related errors. access_log logs all requests which come in via HTTP.
- /var/log/mysqld.log or /var/log/mysql.log : MySQL log file that records every debug, failure and success message, including starting, stopping and restarting of MySQL daemon mysqld. The system decides on the directory. RedHat, CentOS, Fedora, and other RedHat-based systems use /var/log/mariadb/mariadb.log. However, Debian/Ubuntu use /var/log/mysql/error.log directory.
- /var/log/pureftp.log: monitors for FTP connections using the pureftp process. Find data on every connection, FTP login, and authentication failure here.
- /var/log/spooler: Usually contains nothing, except rare messages from USENET.
- /var/log/xferlog: keeps FTP file transfer sessions. Includes info like file names and user-initiated FTP transfers.