Linux has many services, daemons, systems, subsystems and applications running. You use system logging to gather data about your running system from the moment it boots. From time to time you have to check the health of processes, monitor the activity.
But one day system administrator is using the data in the log files for urgent cases: intrusion checking, security audit, system stability issues. For example if you will lost control on a server and hard disk or other resource will be run out of capacity there would be a lot of problems like in house of cards.
It is not taking too much time to check the log data in terminal remotely from time to time, accessing system by root user’s privileges. Let’s see what type of logging files and places/paths on a common Linux environment are existing:
Contains global system messages, including the messages that are logged during system startup. There are several things that are logged in /var/log/messages including mail, cron, daemon, kern, auth, etc.
Contains kernel ring buffer information. When the system boots up, it prints number of messages on the screen that displays information about the hardware devices that the kernel detects during boot process. These messages are available in kernel ring buffer and whenever the new message comes the old message gets overwritten. You can also view the content of this file using the dmesg command.
Contains system authorization information, including user logins and authentication machinsm that were used.
Contains information that are logged when the system boots
Contains information logged by the various background daemons that runs on the system
Contains information that are logged when a package is installed or removed using dpkg command
Contains information logged by the kernel. Helpful for you to troubleshoot a custom-built kernel.
Displays the recent login information for all the users. This is not an ascii file. You should use lastlog command to view the content of this file.
Contains the log information from the mail server that is running on the system. For example, sendmail logs information about all the sent items to this file
Contains information about all user level logs
Log messages from the X
Information by the update-alternatives are logged into this log file. On Ubuntu, update-alternatives maintains symbolic links determining default commands.
This file contains information about failed login attemps. Use the last command to view the btmp file. Ex.: “last -f /var/log/btmp | more”
All printer and printing related log messages
When you install Linux, all installation related messages are stored in this log file
Contains information that are logged when a package is installed using yum
Whenever cron daemon (or anacron) starts a cron job, it logs the information about the cron job in this file
Contains information related to authentication and authorization privileges. ex.: sshd logs all the messages here, including unsuccessful login.
/var/log/wtmp or /var/log/utmp
Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
Contains user failed login attemps. Use faillog command to display the content of this file.