A log file maintains records of events (a history of what happened on your system). And they’re generally event-specific. This means that operating systems will maintain many different log files, each with a specific kind of information.
Well, it’s a lot easier to troubleshoot problems when you can isolate information.
For instance, one log file could maintain system boot events so you can track boot failures whereas another log file could maintain authentication events so you can track logins and logouts.
So knowing where each log file is and what it contains is important for system maintenance and troubleshooting.
To understand which log files are available for your specific Linux distribution and where they’re maintained, let’s quickly touch on the most popular distributions. This will provide you with an overview of how log files vary from one distro to the next.
Let’s determine popularity in two ways — the first way will be to showcase what people are running on virtual machines using Amazon Web Services (AWS). Since AWS controls 40% of the internet’s cloud market, this is a broad data metric that serves us well.
The second way will be to query Google Trends, which provides us with relative-search data. In other words, we’re comparing Linux distros against each other within Google search to see how they rank.
(#1/2) Linux Distributions Running on Amazon Web Services
(#2/2) Linux Distributions by Google Search
As we can see from the above two graphs, Ubuntu is the top Linux distribution. If you’re a technologist, a security consultant, an intrusion specialist, etc. you should take notice of this as you’ll likely encounter an Ubuntu OS.
Keep in mind, though, that Ubuntu is derived from Debian Linux, so any of the following distros will likely maintain log files in the same locations absent customizations.
Debian-based Linux Distributions
- BackTrack and Kali Linux (developed by Offensive Security for penetration testing; BackTrack was rebuilt using Debian Linux and was renamed to Kali Linux)
Linux Distros Present on the Above AWS Graph and Ordered by Popularity:
- Arch Linux
Where Are Log Files Stored in Linux?
The below log files are default locations for most Linux distributions. Keep in mind, though, that you can change locations and even filenames by adjusting your platform’s log manager.
For reference, most Linux distros use one of three log managers: syslog, syslog-ng, or rsyslog.
Ubuntu, by default, uses rsyslog and you can make changes via the config file /etc/rsyslog.conf.
Generic System Activity Events
/var/log/syslog (on Debian-based Linux systems)
Maintains startup messages and system boot info.
Kernel Ring Buffer Events
Maintains messages for device drivers.
Maintains kernel logs and warning info.
/var/log/secure (on RedHat and CentOS)
Maintains messages for successful logins, failed login attempts, and authentication process events.
Failed Login Events
Maintains messages of failed login attempts. Check for brute-force attacks here.
Maintains messages for cron jobs.
This file is a binary file and is accessed using the “who” command.
ubuntu pts/0 2020-05-01 20:12 (22.214.171.124)
All Past Logins and Logouts
This file is a binary file and is accessed using the “last” command.
ubuntu pts/0 126.96.36.199 Thu Sep 12 21:51 – 22:24 (00:32)
ubuntu pts/0 188.8.131.52 Fri Sep 6 20:51 – 23:07 (02:15)
wtmp begins Fri Sep 6 20:51:36 2019
Failed Login Attempts Only
There are two methods to read this binary file — you can use the “last” command with the “-f” switch for file, and you can use the “lastb” command.
root@server:/# last -f /var/run/btmp
Users’ Last Login
This file is a binary file and is accessed using the “lastlog” command.