Difference between revisions of "Linux log files"

From Christoph's Personal Wiki
Jump to: navigation, search
 
Line 23: Line 23:
  
 
;<code>/var/log/btmp</code>
 
;<code>/var/log/btmp</code>
:This will contain failed login attempts. Use the 'last' command to view this log. Example: <code>`last -f /var/log/btmp|more`</code>
+
:This will contain failed login attempts. Use the 'last' command to view this log. Example: <code>sudo lastb</code> or <code>last -f /var/log/btmp | less</code>
  
 
;<code>/var/log/cron</code>
 
;<code>/var/log/cron</code>
Line 37: Line 37:
 
:Log file contains user failed login attempts. faillog is a command that access's the information.  
 
:Log file contains user failed login attempts. faillog is a command that access's the information.  
  
;<code>/var/log/kern.log</code> (Ubuntu/Debian; can be configured for CentOS/Redhat)
+
;<code>/var/log/kern.log</code> (Ubuntu/Debian; can be configured for CentOS/Red Hat)
 
:Contains the logging from the kernels initialization at system bootup, as well as any kernel errors or informational messages that are sent from the kernel
 
:Contains the logging from the kernels initialization at system bootup, as well as any kernel errors or informational messages that are sent from the kernel
  
Line 43: Line 43:
 
:Displays recent login information. This is a command that is run to view the information provided.  
 
:Displays recent login information. This is a command that is run to view the information provided.  
  
;<code>/var/log/maillog.log</code> (CentOS/Redhat)
+
;<code>/var/log/maillog.log</code> (CentOS/Red Hat)
 
:Information from the mail server that is running on your system. Example Sendmail logging information.
 
:Information from the mail server that is running on your system. Example Sendmail logging information.
  
 
;<code>/var/log/mail.log</code> (Ubuntu/Debian)
 
;<code>/var/log/mail.log</code> (Ubuntu/Debian)
:Same information as <code>maillog.log</code> for CentOS/Redhat flavors.
+
:Same information as <code>maillog.log</code> for CentOS/Red Hat flavors.
  
 
;<code>/var/log/mail</code>
 
;<code>/var/log/mail</code>
 
:This folder will contain additional logs provided by your mail server. Example: sendmail stores collected mail statistics in <code>/var/log/mail/statistics</code>.
 
:This folder will contain additional logs provided by your mail server. Example: sendmail stores collected mail statistics in <code>/var/log/mail/statistics</code>.
  
;<code>/var/log/messages</code> (CentOS/Redhat)
+
;<code>/var/log/messages</code> (CentOS/Red Hat)
 
:Contains global system messages, including the messages logged during boot. Several things are logged in this file including mail, cron, daemon, kern, auth, etc.
 
:Contains global system messages, including the messages logged during boot. Several things are logged in this file including mail, cron, daemon, kern, auth, etc.
  
Line 64: Line 64:
 
:[[SELinux]] uses setroubleshootd (SE Trouble Shoot Daemon) to notify about issues in the security context of files, and logs those information in this log file.
 
:[[SELinux]] uses setroubleshootd (SE Trouble Shoot Daemon) to notify about issues in the security context of files, and logs those information in this log file.
  
;<code>/var/log/secure</code> (CentOS/Redhat)
+
;<code>/var/log/secure</code> (CentOS/Red Hat)
 
:Information related to Authentication and authorization privileges. For an example, sshd logs all information here, including unsuccessful attempts.  
 
:Information related to Authentication and authorization privileges. For an example, sshd logs all information here, including unsuccessful attempts.  
  
Line 70: Line 70:
 
:Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
 
:Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
  
;<code>/var/log/yum.log</code> (CentOS/Redhat)
+
;<code>/var/log/yum.log</code> (CentOS/Red Hat)
 
:Information that is logged when a package is installed or removed is stored here.  
 
:Information that is logged when a package is installed or removed is stored here.  
  

Latest revision as of 00:58, 12 December 2018

This article will identify what is in each of your logs, where they are located, and what distro certain logs are associated with.

Note: Unless otherwise specified in each of the log descriptions below, you can use vi, less/zless, tail, cat/zcat, grep/zgrep, etc. to view the contents of these log files.

/var/log/alternatives.log (Ubuntu/Debian)
Alternative logs information from update-alternatives into this log file.
/var/log/apache2/access.log (Ubuntu/Debian)
Access Log file — records incoming requests and all requests processed by Apache (e.g., HTTP GET and POST requests).

These logs can be parsed by log parsers such as awstats, webalizer, etc. This is configurable by the CustomLog directive.

/var/log/apache2/error.log (Ubuntu/Debian)
All Apache errors and diagnostic information found while serving requests are stored here. Location of the error.log file is set by ErrorLog Directive.
/var/log/audit/audit.log
Stores information from Linux Audit daemon (auditd). This log contains information on what users perform read/writes to. An example is you can determine who changed a specific file.
/var/log/auth.log
Contains system authorization information, including user logins and authentication mechanism that were used.
/var/log/boot
Contains information pertaining to the boot process after the kernel has loaded. Information such as system file check, mounting of the filesystem, starting firewall, starting network devices and starting services.
/var/log/btmp
This will contain failed login attempts. Use the 'last' command to view this log. Example: sudo lastb or last -f /var/log/btmp | less
/var/log/cron
When crondaemon or anacron starts a cron job the information the information about the cron job is stored here.
/var/log/dmesg
Contains kernel information about hardware and devices detected during the boot process. This file is overwritten when new messages are sent to it. Example: the next boot.
/var/log/dpkg.log (Ubuntu/Debian)
This has information that is logged when a package is installed or removed using the `dpkg` command.
/var/log/faillog
Log file contains user failed login attempts. faillog is a command that access's the information.
/var/log/kern.log (Ubuntu/Debian; can be configured for CentOS/Red Hat)
Contains the logging from the kernels initialization at system bootup, as well as any kernel errors or informational messages that are sent from the kernel
/var/log/lastlog
Displays recent login information. This is a command that is run to view the information provided.
/var/log/maillog.log (CentOS/Red Hat)
Information from the mail server that is running on your system. Example Sendmail logging information.
/var/log/mail.log (Ubuntu/Debian)
Same information as maillog.log for CentOS/Red Hat flavors.
/var/log/mail
This folder will contain additional logs provided by your mail server. Example: sendmail stores collected mail statistics in /var/log/mail/statistics.
/var/log/messages (CentOS/Red Hat)
Contains global system messages, including the messages logged during boot. Several things are logged in this file including mail, cron, daemon, kern, auth, etc.
/var/log/sa
Contains daily `sar` files collected by sysstat package.
/var/log/samba/
Contains log information stored by samba daemon. Used to connect to Windows/Linux filesystems.
/var/log/setroubleshoot/
SELinux uses setroubleshootd (SE Trouble Shoot Daemon) to notify about issues in the security context of files, and logs those information in this log file.
/var/log/secure (CentOS/Red Hat)
Information related to Authentication and authorization privileges. For an example, sshd logs all information here, including unsuccessful attempts.
var/log/wtmp or /var/log/utmp
Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
/var/log/yum.log (CentOS/Red Hat)
Information that is logged when a package is installed or removed is stored here.

See also