Linux log files
This article will identify what is in each of your logs, where they are located, and what distro certain logs are associated with.
Note: Unless otherwise specified in each of the log descriptions below, you can use vi, less/zless, tail, cat/zcat, grep/zgrep, etc. to view the contents of these log files.
- Alternative logs information from update-alternatives into this log file.
- Access Log file — records incoming requests and all requests processed by Apache (e.g., HTTP GET and POST requests).
- All Apache errors and diagnostic information found while serving requests are stored here. Location of the error.log file is set by ErrorLog Directive.
- Stores information from Linux Audit daemon (auditd). This log contains information on what users perform read/writes to. An example is you can determine who changed a specific file.
- Contains system authorization information, including user logins and authentication mechanism that were used.
- Contains information pertaining to the boot process after the kernel has loaded. Information such as system file check, mounting of the filesystem, starting firewall, starting network devices and starting services.
- This will contain failed login attempts. Use the 'last' command to view this log. Example:
last -f /var/log/btmp | less
- When crondaemon or anacron starts a cron job the information the information about the cron job is stored here.
- Contains kernel information about hardware and devices detected during the boot process. This file is overwritten when new messages are sent to it. Example: the next boot.
- This has information that is logged when a package is installed or removed using the
- Log file contains user failed login attempts. faillog is a command that access's the information.
/var/log/kern.log(Ubuntu/Debian; can be configured for CentOS/Red Hat)
- Contains the logging from the kernels initialization at system bootup, as well as any kernel errors or informational messages that are sent from the kernel
- Displays recent login information. This is a command that is run to view the information provided.
- Information from the mail server that is running on your system. Example Sendmail logging information.
- Same information as
maillog.logfor CentOS/Red Hat flavors.
- This folder will contain additional logs provided by your mail server. Example: sendmail stores collected mail statistics in
- Contains global system messages, including the messages logged during boot. Several things are logged in this file including mail, cron, daemon, kern, auth, etc.
- Contains log information stored by samba daemon. Used to connect to Windows/Linux filesystems.
- SELinux uses setroubleshootd (SE Trouble Shoot Daemon) to notify about issues in the security context of files, and logs those information in this log file.
- Information related to Authentication and authorization privileges. For an example, sshd logs all information here, including unsuccessful attempts.
- Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
- Information that is logged when a package is installed or removed is stored here.