Linux has many services, daemons, systems, subsystems and applications running. You use system logging to gather data about your running system from the moment it boots. From time to time you have to check the health of processes, monitor the activity.
But one day system administrator is using the data in the log files for urgent cases: intrusion checking, security audit, system stability issues. For example if you will lost control on a server and hard disk or other resource will be run out of capacity there would be a lot of problems like in house of cards.
It is not taking too much time to check the log data in terminal remotely from time to time, accessing system by root user’s privileges. Let’s see what type of logging files and places/paths on a common Linux environment are existing:
/var/log/messages
Contains global system messages, including the messages that are logged during system startup. There are several things that are logged in /var/log/messages including mail, cron, daemon, kern, auth, etc.
/var/log/dmesg
Contains kernel ring buffer information. When the system boots up, it prints number of messages on the screen that displays information about the hardware devices that the kernel detects during boot process. These messages are available in kernel ring buffer and whenever the new message comes the old message gets overwritten. You can also view the content of this file using the dmesg command.
/var/log/auth.log
Contains system authorization information, including user logins and authentication machinsm that were used.
/var/log/boot.log
Contains information that are logged when the system boots
/var/log/daemon.log
Contains information logged by the various background daemons that runs on the system
/var/log/dpkg.log
Contains information that are logged when a package is installed or removed using dpkg command
/var/log/kern.log
Contains information logged by the kernel. Helpful for you to troubleshoot a custom-built kernel.
/var/log/lastlog
Displays the recent login information for all the users. This is not an ascii file. You should use lastlog command to view the content of this file.
/var/log/maillog /var/log/mail.log
Contains the log information from the mail server that is running on the system. For example, sendmail logs information about all the sent items to this file
/var/log/user.log
Contains information about all user level logs
/var/log/Xorg.x.log
Log messages from the X
/var/log/alternatives.log
Information by the update-alternatives are logged into this log file. On Ubuntu, update-alternatives maintains symbolic links determining default commands.
/var/log/btmp
This file contains information about failed login attemps. Use the last command to view the btmp file. Ex.: “last -f /var/log/btmp | more”
/var/log/cups
All printer and printing related log messages
/var/log/anaconda.log
When you install Linux, all installation related messages are stored in this log file
/var/log/yum.log
Contains information that are logged when a package is installed using yum
/var/log/cron
Whenever cron daemon (or anacron) starts a cron job, it logs the information about the cron job in this file
/var/log/secure
Contains information related to authentication and authorization privileges. ex.: sshd logs all the messages here, including unsuccessful login.
/var/log/wtmp or /var/log/utmp
Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
/var/log/faillog
Contains user failed login attemps. Use faillog command to display the content of this file.