How To Understand Linux Logs.

Linux logs provide a timeline of events for the Linux operating system, applications, and system and are a valuable troubleshooting tool when you encounter issues. When issues arise, analyzing log files is the first thing an administrator needs to do.

How can Linux Logs Help?

Troubleshooting

When something goes wrong on a Linux system, logs can help pinpoint the issue. By examining system logs, application logs, and service logs, it’s possible to identify errors, warnings, and other messages that indicate what went wrong.

Diagnosing Performance Issues

System logs can help identify performance issues like memory leaks or disk I/O bottlenecks. Examining application logs can also help identify performance issues with specific applications.

Monitoring System Health

Linux logs can be used to monitor system health and detect issues before they become critical. By monitoring system logs, administrators can identify trends and patterns that could indicate a problem is brewing.

Compliance and Auditing

Many organizations are required to maintain logs for compliance and auditing purposes. Linux logs can help organizations meet these requirements by providing a record of system activity.

Security

Linux logs are an essential tool for monitoring and detecting security issues. System logs can be used to detect unauthorized access attempts, while application logs can help identify suspicious activity within specific applications. By monitoring logs, administrators can quickly identify and respond to security incidents.

Where to find Linux Logs?

For desktop app-specific issues, log files are written to different locations. Where a desktop application writes logs depends on the developer and whether or not the app allows for custom log configuration. Chrome, for example, writes crash reports to ‘~/.chrome/Crash Reports’.

Linux log files are stored in plain-text and can be found in the /var/log directory and subdirectory. There are Linux logs for everything: system, kernel, package managers, boot processes, Xorg, Apache, MySQL, etc. In this article, we will focus specifically on Linux system logs.

First things first, you can change to this directory using the cd command. You also need to be the root user to view or access log files on Linux or Unix-like operating systems.

Most Important Linux Logs

Linux logs can be classified into different types based on the source or purpose of the log. Here are four common types of Linux logs:

System Logs

These logs contain information about the system’s operation, such as boot messages, kernel messages, and hardware events. System logs are essential for troubleshooting system issues, and monitoring system performance.

Application Logs

These logs contain information about the behavior of an application, including errors, warnings, and other messages. Application logs are used to diagnose problems with applications and to analyze application performance.

Service Logs

These logs contain information about services running on the system, including network services and daemons. Service logs are used to monitor service activity, and optimize service performance.

Event Logs

These logs contain information about events on the system, such as user logins, system shutdowns, and security events. Event logs are used to audit system activity, track user activity, and investigate security incidents.

Critical, Must Monitor Logs

/var/log/kern

Stores Kernel logs and warning data. This log is valuable for troubleshooting custom kernels as well.

/var/log/dmesg

Messages relating to device drivers. The command dmesg can be used to view messages in this file.

/var/log/cron

Stores all Crond-related messages (cron jobs), such as when the cron daemon initiated a job, related failure messages, etc.

/var/log/yum.log

If you install packages using the yum command, this log stores all related information, which can be useful in determining whether a package and all components were correctly installed.

/var/log/faillog

Contains information all failed login attempts, which is useful for gaining insights on attempted security breaches, such as those attempting to hack login credentials as well as brute-force attacks.

/var/log/syslog or /var/log/messages

General messages, as well as system-related information. Essentially, this log stores all activity data across the global system. Note that activity for Redhat-based systems, such as CentOS or Rhel, are stored in messages, while Ubuntu and other Debian-based systems are stored in Syslog.

/var/log/auth.log or /var/log/secure

Stores authentication logs, including both successful and failed logins and authentication methods. Again, the system type dictates where authentication logs are stored; Debian/Ubuntu information is stored in /var/log/auth.log, while Redhat/CentrOS is stored in /var/log/secure.

/var/log/boot.log

A repository of all information related to booting and any messages logged during startup.

/var/log/maillog or var/log/mail.log

Stores all logs related to mail servers, useful when you need information about postfix, smtpd, or any email-related services running on your server.

/var/log/httpd/

A directory containing error_log and access_log files of the Apache httpd daemon. The error_log contains all errors encountered by httpd. These errors include memory issues and other system-related errors. access_log contains a record of all requests received over HTTP.

/var/log/mysqld.log or /var/log/mysql.log

MySQL log file that logs all debug, failure and success messages. Contains information about the starting, stopping and restarting of MySQL daemon mysqld. This is another instance where the system dictates the directory; RedHat, CentOS, Fedora, and other RedHat-based systems use /var/log/mysqld.log, while Debian/Ubuntu use the /var/log/mysql.log directory.

/var/log/utmp

Current login state, by user

/var/log/wtmp

Login/logout history

/var/log/daemon.log

Tracks services running in the background that perform important tasks, but has no graphical output

/var/log/btmp

Recordings of failed login attempts

/var/log/pureftp.log

Runs the pureftp process that listens for FTP connections. All connections, FTP logins, and authentication failures get logged here

/var/log/spooler

Rarely used and often empty. When used, it contains messages from USENET

/var/log/lastlog

Information about the last logins for all users. This binary file can be read by command lastlog.

/var/log/xferlog

Contains all FTP file transfer sessions, including information about the file name and user initiating FTP transfers