What are Linux Log Files?

All Linux systems create and store information log files for boot processes, applications, and other events. These files can be a helpful resource for troubleshooting system issues.

Most Linux log files are stored in a plain ASCII text file and are in the /var/log directory and subdirectory. Logs are generated by the Linux system daemon log, “syslogd” or “rsyslogd.”

This tutorial will walk you thru where they are located, how to read Linux log files and configuring the system logging daemon.

HOW TO VIEW LINUX LOG FILES

Prerequisites

  • Access to Linux
  • A user account with root user privileges

Where to View Linux Logs

First, open the Linux terminal as a root user. This will enable root privileges.

Use the following command to see the log files:

# cd /var/log

To view the logs, type the following command:

# ls

This will display all the Linux log files such as kern.log, and boot.log. These files contain the necessary information for the proper function of the operating system. Log files are accessed using root privileges.

By definition, root is the default account that has access to all Linux files.

Use the following example line command to access the respective file:

# Sudo less [log name here].log

This will display a timeline of all information related to that operation.

Note that since the logging files are stored in plain text, they can be viewed by using the following standard commands:

zcat – Will display all the contents of logfile.gz

zmore – To see the file in pages, without decompressing the files.

zgrep – To search inside a compressed file.

grep – To find all occurrences of a search term in a file or filter a log file.

tail – Outputs the last few lines of files.

head – View the very beginning of text files.

Important Linux System Logs

Logs can tell a lot about the operations of the systems. A good understanding of each type of file will help how to distinguish the respective logs.

Most directories can be grouped into one of four categories:

  • System Logs
  • Application Logs
  • Event Logs
  • Service Logs

Note that many of these logs can be located in the var/log subdirectory.

System Logs

Systems log files are needed for Linux to work.

The system log file on its own contains the most significant amount of information about system functionality.

System Boot log: The boot log stores all information related to booting operations.

/var/log/boot.log

Auth logs: The authentication log stores all authentication logs, including successful and failed attempts.

/var/log/auth.log

Apache Access and Error Logs: /var/log/httpd/

MySQL Database Server Log File: /var/log/mysqld.log

Debug logs: The debug log stores detailed messages related to debugging. Useful for troubleshooting specific system operations

Daemon logs: The daemon log contains information about events related to running the Linux operation.

Mail Server logs: The mail log stores information related to mail servers and archiving emails.

/var/log/maillog

Kernel logs: The kernel log stores information from the Ubuntu Linux kernel.

/var/log/kern.log

Yum Command logs:  /var/log/yum.log

Event or Daemon Logs

A daemon log is a program that runs in the background and is essential for system operation.

Daemon logs have their own category of logs. It is seen as the heart of the logging operations for any system.

The path for the syslogd daemon’s configuration is /etc/syslog.conf.

Each file consists of a selector and action entry field. The syslogd daemon can forward log messages as well. This can be useful for debugging purposes.

Application Logs

Application logs store information relevant to any application that is executed. This can include error messages, signs of system compromise, and browser identification string.

Log files that fall into this category include CUPS Print System logs, Rootkit Hunter log, Apache HTTP server logs, Samba SMB server logs, and X11 server log.

Non-Human-Readable Logs

Not all logs are designed in a human-readable format. Some are designed only to be read by the system applications.

These files are relevant to login information. Such files include login failures log, last logins log, and login records log.

There are available tools and software for reading Linux log files.

Note that these are not necessary for reading files as most can be read directly from the Linux terminal.

Supplemental GUIs for viewing Linux Log Files

System Log Viewer is a GUI that can be used to monitor system logs.

The interface provides several functions for managing logs, including a log statistics display. System Log Viewer is one of the more friendly and intuitive log monitoring GUIs.

Useful features include:

  • A live view of logs
  • Number of lines in the log
  • Log size
  • Most recent log dates
  • Modifications made to logs
  • Filters
  • Keyboard Shortcuts

Xlogmaster can monitor a considerable number of log files. It features three different modes:

Run mode: Starts a specified program and obtains stdout

Cat mode: Cats files within specified intervals

Tail mode: Checks log files within regular intervals

Xlogmaster is useful for increasing security. It translates all data for highlighting, hiding lines, and displays this information for taking user requested action.

How to Configure Log Files on Ubuntu and CentOS

This section will explain different mechanisms for configuring log files. Let’s start with a CentOS example.

To view users currently logged onto a Linux server, enter the who command as a root user as follows:

[root@example ~] # who

This also lists the login history of users. To view the login history of the system administrator, enter the following command

[root@example ~] # last reboot

To view information of the last login, enter

[root@example ~] # lastlog 

Execute Log Rotation

Log files that have zeroes appended at the end are rotated files.That means the log files names have automatically been changed within the system.

The purpose of log rotation is to compress outdated logs that are taking up space. Log rotation can be done using the logrotate command. This command rotates, compresses, and mails system logs.

logrotate is designed to handle systems that create significant amounts of log files. The command is called by the cron scheduler and reads the logrotate configuration file /etc/logrotate.conf. This command is also used to read files in the logrotate configuration directory.

To include additional functionality to logrotate, start by entering the following command:

# var/log/log name here].log {
Missingok
Notifempty
Compress
Size 20k
Daily
Create 0600 root root
}

This will compress and resize the desired log file.

The commands perform the actions as follows:

missingok – Tells logrotate do not output an error if a log file is missing.

notifempty – Does not rotate the log file it is empty. compress reduces the size of the log file. Compression is done with gzip.

size – Ensures that the log file does not exceed the specified dimension and rotates it otherwise.

daily – Rotates the log files on a daily schedule. This can also be done on a weekly or monthly schedule.

create – Instantiates a log file where the owner and group are a root user.

Conclusion

A thorough understanding of how to view and read Linux logs is necessary for troubleshooting a Linux system.

The proper tools can simplify this process.