What are Linux log files?

Linux log files are text-based records created by the Linux operating system, its applications, and services. They help in monitoring server and network performance, troubleshooting issues, and maintaining system security. These log files can be accessed and analyzed to gather valuable information about the system's health and the state of applications running on it.

How do Linux log files help in server and network monitoring?

Linux log files help in server and network monitoring by providing valuable information about the system's health, applications, and services. By regularly reviewing log files, administrators can identify performance bottlenecks, potential security threats, and other issues that need resolution. This enables them to optimize server and network performance, maintain system stability, and ensure continuous uptime.

What are some of the critical Linux log files for server monitoring?

Some critical Linux log files for server monitoring include /var/log/messages, /var/log/syslog, /var/log/secure, /var/log/auth.log, /var/log/kern.log, /var/log/boot.log, /var/log/dmesg, and /var/log/faillog. These log files contain information about system messages, security-related events, kernel events, boot process, hardware issues, and authentication failures, respectively.

What is the purpose of the /var/log/messages log file?

The /var/log/messages log file is a general system log that contains messages from various system services, applications, and kernel events. It is used for diagnosing issues, monitoring system behavior, and identifying potential problems. The file may include information about hardware events, software failures, and other system-related events that can help administrators troubleshoot and maintain the server.

How can I access Linux log files?

Linux log files can be accessed using terminal-based text editors like 'vi', 'nano', or 'less', or through graphical text editors available in the Linux desktop environment. You can also use specialized log file viewing tools like 'logwatch' and 'syslog-ng' to analyze and filter log files for specific events or patterns. Access to log files may require root or administrative privileges, depending on the file's location and permissions.

What is the role of /var/log/secure and /var/log/auth.log files?

The /var/log/secure and /var/log/auth.log files are critical log files that record security-related events in a Linux system. They contain information about user authentication, failed login attempts, and other security events, such as changes to user accounts or privilege levels. By monitoring these log files, administrators can identify and address potential security threats, ensuring the system remains secure and protected.

Why is the /var/log/boot.log file important?

The /var/log/boot.log file is important because it records information about the system's boot process. This log file includes messages from the initialization of hardware components, loading of the kernel, and starting of system services. By analyzing the boot.log file, administrators can troubleshoot boot-related issues, identify the cause of system startup failures, and ensure the system is functioning properly during the boot process.

What does the /var/log/faillog file record?

The /var/log/faillog file records information about failed login attempts in a Linux system. It contains details about each failed attempt, such as the username, source IP address, and the time of the attempt. Monitoring the faillog file can help administrators detect potential security threats, such as brute-force attacks, and take necessary action to secure the system against unauthorized access.

21 Critical Linux Log Files (Server & Network Monitoring)

54 Shares

A log file maintains records of events (a history of what happened on your system). And they’re generally event-specific. This means that operating systems will maintain many different log files, each with a specific kind of information.

But why?

Well, it’s a lot easier to troubleshoot problems when you can isolate information.

ExpressVPN for bypassing geo-restrictions, a no logs policy, streaming, and anonymous payment

For instance, one log file could maintain system boot events so you can track boot failures whereas another log file could maintain authentication events so you can track logins and logouts.

So knowing where each log file is and what it contains is important for system maintenance and troubleshooting.

To understand which log files are available for your specific Linux distribution and where they’re maintained, let’s quickly touch on the most popular distributions. This will provide you with an overview of how log files vary from one distro to the next.

Let’s determine popularity in two ways — the first way will be to showcase what people are running on virtual machines using Amazon Web Services (AWS). Since AWS controls 40% of the internet’s cloud market, this is a broad data metric that serves us well.

The second way will be to query Google Trends, which provides us with relative-search data. In other words, we’re comparing Linux distros against each other within Google search to see how they rank.

Table of Contents show

(#1/2) Linux Distributions Running on Amazon Web Services

21 Critical Linux Log Files (Server & Network Monitoring) — Source: The Cloud Market, which provides a catalog of images available for the Amazon Cloud, known as Amazon Web Services (AWS).

(#2/2) Linux Distributions by Google Search

Google trends linux distros — Source: Google Trends, which provides comparative search data.

As we can see from the above two graphs, Ubuntu is the top Linux distribution. If you’re a technologist, a security consultant, an intrusion specialist, etc. you should take notice of this as you’ll likely encounter an Ubuntu OS.

Keep in mind, though, that Ubuntu is derived from Debian Linux, so any of the following distros will likely maintain log files in the same locations absent customizations.

Debian-based Linux Distributions

BackTrack and Kali Linux (developed by Offensive Security for penetration testing; BackTrack was rebuilt using Debian Linux and was renamed Kali Linux)
Parsix
PureOS
Ubuntu

Linux Distros Present on the Above AWS Graph and Ordered by Popularity:

Ubuntu
Debian
Fedora
CentOS
RedHat
Suse
Gentoo
Arch Linux
OpenSolaris
Slackware

Where Are Log Files Stored in Linux?

The below log files are default locations for most Linux distributions. Keep in mind, though, that you can change locations and even filenames by adjusting your platform’s log manager.

Related Privacy Guides

For reference, most Linux distros use one of three log managers: syslog, syslog-ng, or rsyslog.

Ubuntu, by default, uses rsyslog and you can make changes via the config file /etc/rsyslog.conf.

Generic System Activity Events

/var/log/messages
/var/log/syslog (on Debian-based Linux systems)

Boot-related Events

/var/log/boot.log

Maintains startup messages and system boot info.

Kernel Ring Buffer Events

/var/log/dmesg

Maintains messages for device drivers.

Kernel-related Events

/var/log/kern.log

Maintains kernel logs and warning info.

Authentication-related Events

/var/log/auth.log
/var/log/secure (on RedHat and CentOS)

Maintains messages for successful logins, failed login attempts, and authentication process events.

Failed Login Events

/var/log/faillog

Maintains messages of failed login attempts. Check for brute-force attacks here.

Cron-related Events

/var/log/cron

Maintains messages for cron jobs.

Apache Events

/var/log/httpd/

MySQL Events

/var/log/mysqld.log
/var/log/mysql.log

Advanced Package Tool (APT)-related Events

/var/log/apt/history.log
/var/log/dpkg.log

Yellowdog Updater, Modified (YUM)-related Events

/var/log/yum.log

Mail-related Events

/var/log/maillog
/var/log/mail.log

Logged-In Users

/var/run/utmp

This file is a binary file and is accessed using the “who” command.

root@server:/# who
ubuntu pts/0 2020-05-01 20:12 (1.2.3.4)

All Past Logins and Logouts

/var/log/wtmp

This file is a binary file and is accessed using the “last” command.

root@server:/# last
ubuntu pts/0 1.2.3.4 Thu Sep 12 21:51 – 22:24 (00:32)
ubuntu pts/0 1.2.3.4 Fri Sep 6 20:51 – 23:07 (02:15)
wtmp begins Fri Sep 6 20:51:36 2019

Failed Login Attempts Only

/var/log/btmp

There are two methods to read this binary file — you can use the “last” command with the “-f” switch for file, and you can use the “lastb” command.

root@server:/# last -f /var/run/btmp

root@server:/# lastb

Users’ Last Login

/var/log/lastlog

This file is a binary file and is accessed using the “lastlog” command.

root@server:/# lastlog