Getting Familiar with Linux Logs

Last Updated: Wed, May 13, 2009

In almost all Linux distributions the Linux log files are stored in ‘/var/log’ directory. You can learn more about Linux directory structure in this article.

A common way to watch log files is to use the -f flag and tail. Most log files are protected so you will need elevated privileges to view them.

Show the last few logins and display new ones as they are authenticated. Ctrl + C to quit.

sudo tail -f auth.log

An even better way is to use, less with the F option.

sudo less +F auth.log

This does the same thing as tail -f but it will also show the entire file, just press ctrl + c to navigate around the log file. When you want to view the log in real time again just type a capital F.

Common Log Files

• auth.log - Authentication info
• boot.log - Boot info
• crond - Scheduled cron tasks
• daemon.log - Daemon specific alerts like, dhcpd, gnome-session, ntfs-3g
• dmesg - Kernel specific messages
• errors.log - As you may have guess this logs errors
• everything.log - A misc. catch all log
• httpd - Apache access and error logs
• mail.log - Mail server logs
• messages.log - General system alerts
• mysqld.log - MySQL database log
• secure - Security log
• syslog.log - A log for the log system
• vsftpd.log - A log for the FTP server, vsftpd
• Xorg.0.log - X log

You will probably quickly notice that there are a lot of duplicate looking files in /var/log with numbers at the end of them. Some of them might even have .gz at the end. These are called rotated logs. Usually the log rotator ‘logrotate’ is responsible for rotating old logs at a specified interval in ‘/etc/logrotate.conf’. For more information about logroate do, ‘man logrotate’.

Making sense of Logs

The first impression to a new Linux user coming form a Windows background is, How do I make sense of all these logs? How can I search the log files for specific types of alerts?

Linux with its very modular nature wants to leave as much configuration as possible to the user. Linux stores all alerts in simple text. Since these logs are stored in simple text users have complete control over how the logs can be processed and interpreted. There are a myriad of different search tools or scripts to scan the logs. Using one of the “Linux Powerhouse Programs”, we can refine our logs.

For example lets say we want to analyze auth.log and show only user group changes.

sudo cat auth.log | grep groupadd

This command does a search for each line that contains the keyword ‘groupadd’.

Of course, grep supports regular expressions as well. This command will display only alerts that occurred on May 3rd:

sudo cat auth.log | grep -P '^May\s*3'

To get the most use out of log files in Linux you will want to learn more about tools like: grep, sed, awk, cat, tail, and sort. You will also need to brush up on your regular expression skills. I also recommend having a regular expression cheat sheet handy.

Of course if you don’t want to learn these tools right now there is always a GUI option.

Viewing Logs in a GUI

To view log files in Gnome go to: Applications > System Tools > Log File Viewer

Although it is easy to use, this GUI is not incredibly useful. It will serve as a quick GUI log viewer but wont be near as useful as learning how to use the command line search tools to analyze your log files.

Logs Don’t Have to be Boring

Logs don’t have to be boring all the time. Logstalgia is a web stats junkies dream come true. With logstalgia you can watch your apache logs with a real time visualizer.

To watch a remote weblog do something like this:

ssh user@webhost.com tail -f /home/user/logs/http/access.log | logstalgia -

Logging for Small Businesses that like to Self-Host

If you run a small business and want to centralize your logging. I created a centralized logging system that is easy to self-host called Central Logging. Checkout the cron monitor docs.