i Linux logs – All things in moderation

Linux logs

Introduction

Log files are the recoreds that Linux stores for administrators to keep track and monitor important events about the server, kernel, services and applications running on it. In this post, we’ll go through overview about log in Linux.

Linux Log Files

Linux provides a centralized repository of log files that can be located under the /var/log directory
The log files generated in a Linux enviroment can typically be classified into four categories:

  • Application Logs
  • Event Logs
  • Service Logs
  • System Logs

There are many log files in categories above, so I will introduce you to some of the most critical Linux log files you have to concern. Remember that all log files I’ll mention below are stores at /var/log

1. messages

This log file contains generic system activity logs. In debian-based systems, /var/log/syslog directory serves the same purpose.
How can I used these logs?

Here you can track non-kernel boot errors, application related service errors and the messages that are logged during system startup.

2. auth.log

All authentication related events in Debian and Ubuntu server are logged here.
How can I used these logs?

Suspect that there might have been a security breach in your server? Notice a suspicious javascript file where it shouldn’t be? If so, then find this log file asap! You can use this log file to investigate failed login attempts, brute-force attacks and other vulnerabilities related to user authorization mechanism.

3. secure

RedHat and CentOS based systems use this log file instead of /var/log/auth.log. It is mainly used to track the usage of authorization systems. It stores all security related messages including authentication failures. It also tracks sudo logins, SSH logins and other errors logged by system security services daemon.

How can I used these logs?

All user authentication events are logged here. This log file can provide detailed insight about unauthorized or failed login attempts, which can be very useful to detect possible hacking attempts. It also stores information about successful logins and tracks the activities of valid users.

4. boot.log

This is the repository of booting related information and messages logged during system starup process.

How can I used these logs?

The system initialization script, /etc/init.d/bootmisc.sh, sends all bootup messages to this log file. You should analyze this log file to investigate issues related to improper shutdown, unplanned reboots or booting failures. This log file can be useful to determine the duration of system downtime caused by an unexpected shutdown.

5. dmesg

This log file contains Kernel ring buffer messages. Information related to hardware devices and their drivers are logged here. As the kernel detects physical hardware devices associated with the server during the booting process, it captures the device status, hardware errors and other generic messages.

How can I used these logs?

This log file is useful for dedicated server customers mostly. If a certain hardware is functioning improperly or not getting detected, then you can rely on this log file to troubleshoot the issue.

6. kern.log

This is a very important log file as it contains information logged by the kernel.

How can I used these logs?
To troubleshoot kernel related errors and warnings, this is the place to look into. Kernel logs can be helpful to troubleshoot a custom-built kernel. It can also come handy in debugging hardware and connectivity issues.

7. faillog

This file contains information on failed login attempts.

How can I used these logs?

It can be a useful log file to find out any attempted security breaches involving username/password hacking and brute-force attacks.

8. cron

This log file records information on cron jobs.

How can I used these logs?

Whenever a cron job runs, this log file records all relevant information including successful execution and error messages in case of failures. So if you’re having problems with your scheduled cron, you need to check out this log file.

9. yum.log

It contain the information that are logged when a new package is installed using the yum command.

How can I used these logs?

This log file tracks the installation of system components and software packages. You can check out the messages logged here to know whether a package was correctly installed or not. It can also help you troubleshoot issues related to software installations.

10. maillog or mail.log

All mail server related logs are stored here.

How can I used these logs?

This is the log file where you can find information about postfix, smtpd, MailScanner, SpamAssassain or any other email related services running on the mail server. If you want to track all the emails that were sent or received during a particular period, this is the place to look into.

11. httpd

This directory contains the logs recorded by the Apache server. Apache server logging information are stored in two different log files -error_log and access_log.

How can I used these logs?

error_log contains messages related to httpd errors and access_log contains all requests received over HTTP.

## 12. mysqld.log or mysql.log
As the name suggests, this is the MySQL log file.

How can I used these logs?
Problems encountered while starting, running, or stopping mysqld can be found in this log file.

Viewing logs command lines

There are numerous ways in which you can view your system logs, all quite simply executed from command line.

less
Example:

less /var/log/auth.log  

This command will open file auth.log to the top.

dmesg

The dmesg command prints the kernel ring buffer.

tail
Example:

tail -f /var/log/syslog  

The above command would follow input to syslog.

Linux Logs Management Tools

There are many log management tools includes free and paid out there, so it’s depend your purpose. Here are the list I recommended:

splunk

LogRhythm

Fluentd

Graylog

Logtash

rsyslog

Conclusion

Monitoring and analyzing all the log files generated by the system can be a difficutl task, but it’s important to make sure your system is safe and have no problems. Centralized log monitoring tool is the good idea to solve this problem.

References

https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring
https://help.ubuntu.com/community/LinuxLogFiles#Essential_Commands
https://en.wikipedia.org/wiki/Syslog

Tags: , ,

Leave a Reply