21 linux log files

21 Critical Linux Log Files (Server & Network Monitoring)

A log file maintains records of events (a history of what happened on your system). And they’re generally event-specific. This means that operating systems will maintain many different log files, each with a specific kind of information.

But why?

Well, it’s a lot easier to troubleshoot problems when you can isolate information.

For instance, one log file could maintain system boot events so you can track boot failures whereas another log file could maintain authentication events so you can track logins and logouts.

So knowing where each log file is and what it contains is important for system maintenance and troubleshooting.

To understand which log files are available for your specific Linux distribution and where they’re maintained, let’s quickly touch on the most popular distributions. This will provide you with an overview of how log files vary from one distro to the next.

Let’s determine popularity in two ways — the first way will be to showcase what people are running on virtual machines using Amazon Web Services (AWS). Since AWS controls 40% of the internet’s cloud market, this is a broad data metric that serves us well.

The second way will be to query Google Trends, which provides us with relative-search data. In other words, we’re comparing Linux distros against each other within Google search to see how they rank.

(#1/2) Linux Distributions Running on Amazon Web Services

Linux Distributions Running on Amazon Web Services
Source: The Cloud Market, which provides a catalog of images available for the Amazon Cloud, known as Amazon Web Services (AWS).

(#2/2) Linux Distributions by Google Search

Linux Distributions by Google Search
Source: Google Trends, which provides comparative search data.

As we can see from the above two graphs, Ubuntu is the top Linux distribution. If you’re a technologist, a security consultant, an intrusion specialist, etc. you should take notice of this as you’ll likely encounter an Ubuntu OS.

Keep in mind, though, that Ubuntu is derived from Debian Linux, so any of the following distros will likely maintain log files in the same locations absent customizations.

Debian-based Linux Distributions

  • BackTrack and Kali Linux (developed by Offensive Security for penetration testing; BackTrack was rebuilt using Debian Linux and was renamed to Kali Linux)
  • Parsix
  • PureOS
  • Ubuntu

Linux Distros Present on the Above AWS Graph and Ordered by Popularity:

  1. Ubuntu
  2. Debian
  3. Fedora
  4. CentOS
  5. RedHat
  6. Suse
  7. Gentoo
  8. Arch Linux
  9. OpenSolaris
  10. Slackware

Where Are Log Files Stored in Linux?

The below log files are default locations for most Linux distributions. Keep in mind, though, that you can change locations and even filenames by adjusting your platform’s log manager.

For reference, most Linux distros use one of three log managers: syslog, syslog-ng, or rsyslog.

Ubuntu, by default, uses rsyslog and you can make changes via the config file /etc/rsyslog.conf.

Generic System Activity Events

/var/log/messages
/var/log/syslog (on Debian-based Linux systems)

Boot-related Events

/var/log/boot.log

Maintains startup messages and system boot info.

Kernel Ring Buffer Events

/var/log/dmesg

Maintains messages for device drivers.

Kernel-related Events

/var/log/kern.log

Maintains kernel logs and warning info.

Authentication-related Events

/var/log/auth.log
/var/log/secure (on RedHat and CentOS)

Maintains messages for successful logins, failed login attempts, and authentication process events.

Failed Login Events

/var/log/faillog

Maintains messages of failed login attempts. Check for brute-force attacks here.

Cron-related Events

/var/log/cron

Maintains messages for cron jobs.

Apache Events

/var/log/httpd/

MySQL Events

/var/log/mysqld.log
/var/log/mysql.log

Advanced Package Tool (APT)-related Events

/var/log/apt/history.log
/var/log/dpkg.log

Yellowdog Updater, Modified (YUM)-related Events

/var/log/yum.log

Mail-related Events

/var/log/maillog
/var/log/mail.log

Logged-In Users

/var/run/utmp

This file is a binary file and is accessed using the “who” command.

root@server:/# who
ubuntu pts/0 2020-05-01 20:12 (1.2.3.4)

All Past Logins and Logouts

/var/log/wtmp

This file is a binary file and is accessed using the “last” command.

root@server:/# last
ubuntu   pts/0        1.2.3.4    Thu Sep 12 21:51 – 22:24  (00:32)
ubuntu   pts/0        1.2.3.4    Fri Sep  6 20:51 – 23:07  (02:15)
wtmp begins Fri Sep  6 20:51:36 2019

Failed Login Attempts Only

/var/log/btmp

There are two methods to read this binary file — you can use the “last” command with the “-f” switch for file, and you can use the “lastb” command.

root@server:/# last -f /var/run/btmp

root@server:/# lastb

Users’ Last Login

/var/log/lastlog

This file is a binary file and is accessed using the “lastlog” command.

root@server:/# lastlog

Privacy Angel Comment Policy

We welcome relevant, respectful comments.
Scroll to Top