Skip to main content

Understanding Linux Log Files

Understanding Linux Log Files


Log files are a lot of records that Linux keeps up for the sysadmins to monitor the significant and important events in the system. They contain messages about the kernel, services, and applications running on it.

The log files are found in  /var/log directory.

The log documents created in a Linux environment can commonly be characterized into four unique classes:

1)Application Logs
2)Event Logs
3)Service Logs
4) System Logs

Role of  Linux log files

Log is a fundamental aspect of any sysadmin duty. 

By observing Linux log files, you can increase a definite understanding of kernel execution, security, error messages, and warning issues. In the event that you need to take a proactive versus a receptive way to deal with the errors. For a sysadmin standard log record examination is 100% required. 

To put it plainly, log records permit you to envision forthcoming issues before they really happen.

Important Linux log files to keep an eye on

Monitoring and analyzing all of them can be a challenging task.

1) /var/log/messages

This log file contains generic system activity logs.
It is mainly used to store informational and non-critical system messages.
In Debian/Ubuntu-based systems,  /var/log/syslog will serves the same purpose.

It track non-kernel boot errors, application-related service errors and the messages that are logged during system startup.
This is the first log file that the Linux administrators should check if anything goes wrong.
For example, you are facing some issues with the network card. To check if something went wrong during the system startup process, you can have a look at the messages stored in this log file. 

2)/var/log/auth.log

All authentication-related events in Debian and Ubuntu servers are logged here.
If you’re looking for anything involving the user authorization mechanism, you can find it in this log file.

Suspect that there might have been a security breach in your server? Notice a suspicious javascript file where it shouldn’t be? If so, then find this log file asap!

Investigate failed login attempts
Investigate brute-force attacks and other vulnerabilities related to user authorization mechanism.

3)/var/log/secure


RedHat and CentOS-based systems use this log file instead of /var/log/auth.log. 

It is mainly used to track the usage of authorization systems.
It stores all security-related messages including authentication failures.
It also tracks sudo logins, SSH logins, and other errors logged by the system security services daemon.

All user authentication events are logged here.
This log file can provide detailed insight about unauthorized or failed login attempts
Can be very useful to detect possible hacking attempts.
It also stores information about successful logins and tracks the activities of valid users.

4)/var/log/boot.log


The system initialization script, /etc/init.d/bootmisc.sh, sends all bootup messages to this log file
This is the repository of booting related information and messages logged during the system startup process.

You should analyze this log file to investigate issues related to improper shutdown, unplanned reboots, or booting failures.
Can also be useful to determine the duration of system downtime caused by an unexpected shutdown.

5)/var/log/dmesg


This log file contains Kernel ring buffer messages.
Information related to hardware devices and their drivers are logged here.
As the kernel detects physical hardware devices associated with the server during the booting process, it captures the device status, hardware errors and other generic messages.
This log file is useful for dedicated server customers mostly.
If certain hardware is functioning improperly or not getting detected, then you can rely on this log file to troubleshoot the issue.
Or, you can purchase a managed server from us and we’ll monitor it for you.

6)/var/log/kern.log

This is a very important log file as it contains information logged by the kernel.
Perfect for troubleshooting kernel-related errors and warnings.
Kernel logs can be helpful to troubleshoot a custom-built kernel.
Helps in debugging hardware and connectivity issues.

7)/var/log/faillog

This file contains information on failed login attempts.
It can be a useful log file to find out any attempted security breaches involving username/password hacking and brute-force attacks.

8)/var/log/cron

This log file records information on cron jobs.
Whenever a cron job runs, this log file records all relevant information including successful execution and error messages in case of failures.
If you’re having problems with your scheduled cron, you need to check out this log file.

9)/var/log/yum.log

It contains the information that is logged when a new package is installed using the yum command.

Track the installation of system components and software packages.
Check the messages logged here to see whether a package was correctly installed or not.
Helps you troubleshoot issues related to software installations.
Suppose your server is behaving unusually and you suspect a recently installed software package to be the root cause for this issue. In such cases, you can check this log file to find out the packages that were installed recently and identify the malfunctioning program. 

10)/var/log/maillog or /var/log/mail.log

All mail server related logs are stored here.
Find information about postfix, smtpd, MailScanner, SpamAssassin or any other email-related services running on the mail server.
Track all the emails that were sent or received during a particular period
Investigate failed mail delivery issues.
Get information about possible spamming attempts blocked by the mail server.
Trace the origin of an incoming email by scrutinizing this log file.

11)/var/log/httpd/

This directory contains the logs recorded by the Apache server.
Apache server logging information is stored in two different log files – error_log and access_log.

The error_log contains messages related to httpd errors such as memory issues and other system-related errors.
This is the place where Apache server writes events and error records encountered while processing httpd requests.
If something goes wrong with the Apache webserver, check this log for diagnostic information.
Besides the error-log file, Apache also maintains a separate list of access_log.
All-access requests received over HTTP are stored in the access_log file.
Helps you keep track of every page served and every file loaded by Apache.
Logs the IP address and user ID of all clients that make connection requests to the server.
Stores information about the status of the access requests, – whether a response was sent successfully or the request resulted in a failure.

12)/var/log/mysqld.log or /var/log/mysql.log


As the name suggests, this is the MySQL log file, if it is installed.
All debug, failure and success messages related to the [mysqld] and [mysqld_safe] daemon are logged to this file.
RedHat, CentOS and Fedora stores MySQL logs under  /var/log/mysqld.log, while Debian and Ubuntu maintain the log in /var/log/mysql.log directory.

Use this log to identify problems while starting, running, or stopping mysqld.
Get information about client connections to the MySQL data directory
Information about query locks and slow running queries.


If you like please follow and comment
Labels:

Comments

Post a Comment

Popular posts from this blog

WebLogic migration to OCI using WDT tool

WebLogic migration to OCI using WDT tool Oracle WebLogic Deploy Tool (WDT) is an open-source project designed to simplify and streamline the management of Oracle WebLogic Server domains. With WDT, you can export configuration and application files from one WebLogic Server domain and import them into another, making it a highly effective tool for tasks like migrating on-premises WebLogic configurations to Oracle Cloud. This blog outlines a detailed step-by-step process for using WDT to migrate WebLogic resources and configurations. Supported WLS versions Why Use WDT for Migration? When moving Oracle WebLogic resources from an on-premises environment to Oracle Cloud (or another WebLogic Server), WDT provides an efficient and reliable approach to: Discover and export domain configurations and application binaries. Create reusable models and archives for deployment in a target domain. Key Pre-Requisites Source System: An Oracle WebLogic Server with pre-configured resources such as: Applica...
Post a Comment
Read more

How to Validate TDE Wallet Password in Oracle Database

How to Validate TDE Wallet Password in Oracle Database Validating the Transparent Data Encryption (TDE) wallet password is crucial, especially when ensuring that the password is correct without using the OPEN or CLOSE commands in the database. This blog post explains a straightforward method to validate the TDE password using the mkstore utility. Steps to Validate TDE Wallet Password Follow these steps to validate the TDE wallet password: Step 1: Copy the Keystore/Wallet File Navigate to your existing TDE wallet directory. Copy only the ewallet.p12 file to a new directory. If a cwallet.sso file exists, do not copy it . The absence of cwallet.sso ensures that the wallet does not use auto-login, forcing the utility to prompt for the password. Step 2: Validate Using mkstore Use the mkstore utility to check the contents of the wallet file. The mkstore utility will prompt you for the TDE wallet password, allowing you to validate its correctness. Command Syntax To display the conten...
Post a Comment
Read more

Rename a PDB in Oracle Database Multitenant Architecture in TDE and Non TDE Environment

Rename a PDB in Oracle Database Multitenant Architecture I am sharing a step-by-step guide to help you rename a PDB. This approach uses SQL commands. Without TDE or encryption Wallet Initial Check Check the Current Database Name and Open Mode: SQL > SELECT NAME, OPEN_MODE FROM V$DATABASE; NAME OPEN_MODE --------- -------------------- BEECDB READ WRITE List Current PDBs: SQL > SHOW PDBS; CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 FUAT READ WRITE NO We need to RENAME FUAT to BEE  Steps to Rename the PDB Step 1: Export ORACLE_SID Set the Oracle SID to the Container Database (CDB): export ORACLE_SID=BEECDB Step 2: Verify Target PDB Name Availability If the target PDB name is different from the current PDB name, ensure no service exists with the target PDB name. Run SQL to Check Exi...
Post a Comment
Read more