Linux logs offer developers and system administrators a detailed account of all events, requests, and activity on the server. Log files can be used to monitor critical events in the kernel, the server, and for any services or applications actively running.
Server administrators can review comprehensive diagnostic information about performance, ranging from kernel events to user actions. In this post, we’re going to talk about Linux logs, what they are, why they’re important, and focus on the most important Linux logs.
What Are Linux Logs?
A Linux log is simply a file that records specific information relating to events, applications, and the kernel. When you face an issue, these files can prove to be a critically important tool for troubleshooting.
In case of a problem, administrators can simply analyze these files to determine and create a timeline for the series of events that occurred, and which eventually led to the problem.
Linux logs are generally stored in plain text and are available in the /var/log directory. Linux logs can be found for virtually everything, including boot processes, package managers, kernel, Apache, MySQL, and others.
The Most Important Linux Logs
Broadly speaking, Linux logs can be categorized under the four main headings:
- Application Logs
- System Logs
- Service Logs
- Event Logs
Since Linux logs are generally stored in plain text files, sifting through each one is incredibly difficult. That’s one of the main reasons why developers often prefer using different tools, such as log file viewers. Examples of these include Logmaster or MultiTail.
But as a system administrator, there are some Linux logs that really demand your attention. Here are the ones that you should definitely know about.
Application Logs
- /var/log/syslog
This is a simple Linux log that shows you general information regarding system performance. Essentially, this log shows all the activity that has occurred in the system. This is the same as /var/log/messages, and shows you a generic log of all system activity.
All non-critical and informational messages are shown here. For Debian systems, you will use /var/log/syslog. But for other Redhat systems, such as Rhel, you will use /var/log/messages.
How to use /var/log/syslog
These Linux logs let you track any errors related to application services or any other messages that are logged when the system boots up. Commonly, this is often the first Linux log that administrators look at when something goes wrong.
It gives you a basic understanding of any errors, so in case an issue was detected during system startup, administrators can simply go through these messages to find out what went wrong.
- /var/log/maillog
These Linux logs are used for storing information relating to mail servers. This is quite handy for any email-related services that are active on your server. It is also useful for postfix or for the SMTP daemon process.
How to use /var/log/maillog
If you’re running email-centric services such as MailScanner, you can find information related to them. With these logs, you can also track all incoming or outgoing emails within a defined period.
In any situation where mail delivery has failed, simply refer to the logs to find out why. More importantly, these Linux log files will also give you information about the origins of incoming emails. If there were any spamming attempts detected and blocked by the server, you can find these in the log files too.
- /var/log/yum.log
If you have any packages installed that utilize the yum command, information related to those will be found in these Linux logs. This can be useful for determining if everything went well.
How to use /var/log/yum.log
You can see Linux logs that confirm whether packages were installed correctly or not, including information about other software and system components that have been installed.
In case a software package was not installed correctly, you can find information related to that in these logs. These logs will help you identify any malfunctions and correct them by identifying the underlying issue.
System Logs
- /var/log/boot.log
These Linux logs contain startup messages and information pertaining to the boot. This includes the initialization script, which sends all bootup information to the log file.
Think of this as a comprehensive log file that offers detailed information about the server startup process, including all messages that are logged as the server starts up.
How to use /var/log/boot.log
In case there were issues with startup or shutdown, you will find relevant information here. This also includes information relating to any boot failures or random restarts.
These Linux logs are generally useful for determining issues related to system downtime, especially if the server experienced random shutdowns.
- /var/log /dmesg
Another way to view Linux logs is dmesg. This shows you all Kernel ring buffer messages, including information that relates to any hardware components and their drivers.
The kernel is capable of detecting physical hardware devices that are connected to the server as it boots up, which is why it is capable of logging hardware errors or the general status of these components. It also includes other general logs.
How to use /var/log /dmesg
If there’s an issue with a certain piece of hardware connected to the server, you can check the dmesg logs to determine the problem and fix it. It’s great for server management, as these logs are mainly for dedicated server customers.
- var/log/mysqld.log
Finally, this is the MySQL log file. All messages related to debugging, failure, or success of the MySQL daemon are logged here.
If you’re running RedHat or Fedora distros, you will find these under /var/og/mysqld.log. For Ubuntu or Debian distros, just search through the /var/log/mysql.log directory.
How to use var/log/mysqld.log
Any issues related to running or halting mysqld can be found here, so use these logs to determine what’s wrong and make changes. You can also glean valuable information about client connections to the MySQL directory using these logs.
Service Logs
- /var/log/auth.log
The auth.log generally stores Linux logs associated with authentication and includes information for both failed and successful logins. Again, for Debian or Ubuntu-based systems, you can find the relevant Linux logs in /var/log/auth.log.
But, for Redhat or CentOS distros, you will find them under /var/log/secure. All relevant information regarding the user authentication process can be found here.
How to use /var/log/auth.log
If you feel that there might have been a security breach on the servers, you may want to check these logs to determine successful or failed logins. Server administrators generally keep a watchful eye and instantly become suspicious if they notice a JavaScript file out of place or anything that doesn’t make sense.
With these logs, you can quickly and efficiently analyze any suspicious activity, including failed login attempts. Since it records all activity related to user authentication, you can easily figure out if your server was the target of a brute force attack.
- /var/log/cron
This log stores all messages related to cron jobs, including the time when the cron daemon began a job, any relevant failure messages, or other status information.
How to use /var/log/cron
Every time a cron job is executed, these Linux logs are used to maintain detailed information, including any error messages or issues relating to the successful execution. If your scheduled cron isn’t running properly, you might want to review these logs.
Event Logs
- /var/log/faillog
The /var/log/faillog records all relevant information related to failed logins. This is very handy for honing in and finding out about any security breaches. It’s similar to the one above, but instead of showing both successful and unsuccessful logins, it only returns failed logins.
How to use /var/log/faillog
If you feel that your server was targeted in a username or password hack, these Linux logs will give you comprehensive information about any such activity.
- /var/log/httpd
This is a directory of Linux logs that contain access_log and error_log files associated with the Apache server. The information is stored in two different log files, with errors kept in the error_log file and memory issues related to requests via HTTP stored in access_log.
How to use /var/log/httpd
You can view all errors related to http daemon access using the error_log file, including any system-specific problems. More importantly, the Apache server records events and errors here that occur during http request processing.
In case you experience an issue with your Apache web server, you can check the logs to determine the issue. In addition, the logs also contain IP addresses and user IDs of all clients that serve a connection request.
It also contains information about the status of all server requests, including those that were successful or ones that failed.
- /var/log/kern
This log offers information about the kernel and any warnings. Kernel logs can be accessed with this terminal, so in case of any errors or warnings, you can check it out.
How to use /var/log/kern
If you’re facing issues with custom kernels, you can check warning data through this log and troubleshoot problems. It gives you comprehensive information about any kernel errors, making it easy to find problems and fix them.
Frequently Asked Questions
How Do I Analyze a Log File in Linux?
You can use a command line tool such as grep to run plain text searches. These can help you analyze log files and are generally found by default in most Linux distros.
How Do I Manually Create a Log File In Linux?
To create a log file entry in Linux, you can simply use the logger command. The command helps you connect with the syslog module. To create a log file, simply type “logger” (without the speech marks), followed by your message, and Linux will automatically add it in the /var/log/syslog directory.
Where Are Logs Kept in Linux?
You can find most of the Linux log files as plain ASCII text files. They’re commonly stored in the /var/log directory and its subdirectories.
What Is The Purpose Of Logs in Linux?
The main purpose of Linux logs is to provide a detailed event timeline in the Linux OS. It can be an excellent tool for diagnostics and for troubleshooting and is commonly used by administrators to determine what went wrong.
After Action Report – RunCloud Dashboard Makes Log Viewing Easy
Linux logs are an excellent way to identify any errors and correct them. The RunCloud dashboard makes it easy for users to find logs within their Web Application. Simply click on the Web Application, and navigate to Web Server Log.
Are you using Linux logs to keep track of server performance or to identify errors? If so, we’d love to know more about how you use them. Let us know in the comments below!
