Linux log files in order

It’s impossible to imagine a user and server administrator, or even a Linux-based workstation who never read the log files. The operating system and running applications constantly create various types of messages that are recorded in various log files. The ability to determine the desired log file and what to look for in it will help save time and eliminate the error faster.

Logging is the main source of information on the operation of the system and its errors. In this quick start guide, we will look at the main aspects of operating system logging, the directory structure, programs for reading and reviewing logs.

Main log files

All log files can be attributed to one of the following categories:

• applications;
• developments;
• services;
• systemic

Most of the log files are contained in the /var/log directory.

• / var / log / syslog or / var / log / messages contains a global system log, which writes messages from the moment the system starts, from the Linux kernel, various services, detected devices, network interfaces, and much more.
• /var/log/auth.log or / var / log / secure - information on user authorization, including successful and unsuccessful login attempts, as well as the authentication mechanisms involved.
• / var / log / dmesg - device drivers. The command of the same name can view the output file of the file. Log size is limited, when the file reaches its limit, old messages will be overwritten with newer ones. By specifying the key - --level= you can filter the output by the criterion of significance.

    (): emerg -   alert -      crit -   err -   warn -   notice - ,    info -  debug -   (5:520)$ dmesg -l err [1131424.604352] usb 1-1.1: 2:1: cannot get freq at ep 0x1 [1131424.666013] usb 1-1.1: 1:1: cannot get freq at ep 0x81 [1131424.749378] usb 1-1.1: 1:1: cannot get freq at ep 0x81 

• /var/log/alternatives.log - Displays the update-alternatives program, which contains symbolic links to default commands or libraries.
• /var/log/anaconda.log - Entries registered during system installation.
• / var / log / audit - Entries created by the audit service auditd .
• /var/log/boot.log - Information that is written when the operating system is loaded.
• / var / log / cron - A crond service report about the commands being executed and messages from the commands themselves.
• / var / log / cups - Everything related to printing and printers.
• / var / log / faillog - Failed login attempts. It is very useful when checking threats in the security system, hacker attacks, hacking attempts by brute force. You can read the contents using the faillog .
• var / log / kern.log - The log contains messages from the kernel and warnings that can be useful in troubleshooting user modules built into the kernel.
• / var / log / maillog / or /var/log/mail.log - The mail server log used on the OS.
• /var/log/pm-powersave.log - Messages from the battery saver service.
• / var / log / samba / - Logs of the Samba file server, which is used to access Windows shared folders and provide Windows users access to Linux shared folders.
• / var / log / spooler - For representatives of the old school, contains messages USENET. Most often it is empty and abandoned.
• /var/log/Xorg.0.log - X server logs. Most often useless, but if they have lines beginning with EE, you should pay attention to them.

For each distribution there will be a separate package manager log.

• /var/log/yum.log - For programs installed using Yum on RedHat Linux.
• /var/log/emerge.log - For ebuild installed from Portage using emerge in Gentoo Linux.
• /var/log/dpkg.log - For programs installed using dpkg on Debian Linux and the entire family of related distributions.

And some binary logs of user sessions.

• / var / log / lastlog - The last session of users. You can read the command last .
• / var / log / tallylog - Audit failed login attempts. Displaying with the pam_tally2 utility.
• / var / log / btmp - A single log of failed login attempts. Just so, just in case, if you have not yet guessed where to look for traces of activity of burglars.
• / var / log / utmp - The list of users currently logged in to the system.
• / var / log / wtmp - Another user log entry log. Displaying with the utmpdump command.

 (5:535)$ sudo utmpdump /var/log/wtmp [5] [02187] [l0 ] [ ] [4.0.5-gentoo ] [0.0.0.0 ] [  11 16:50:07 2015] [1] [00000] [~~ ] [shutdown] [4.0.5-gentoo ] [0.0.0.0 ] [  11 16:50:08 2015] [2] [00000] [~~ ] [reboot ] [3.18.12-gentoo ] [0.0.0.0 ] [  11 16:50:57 2015] [8] [00368] [rc ] [ ] [3.18.12-gentoo ] [0.0.0.0 ] [  11 16:50:57 2015] [1] [20019] [~~ ] [runlevel] [3.18.12-gentoo ] [0.0.0.0 ] [  11 16:50:57 2015] 

And other magazines

Since the operating system, even such a wonderful one as Linux, does not in itself carry any tangible benefit in itself, most likely a database, a web server, and various applications will run on the server or workstation. Each application or service can have its own file or directory of event and error logs. Naturally it is impossible to list them all, only some.

• / var / log / mysql / - MySQL database log.
• / var / log / httpd / or / var / log / apache2 / - The Apache web server log, the access log is in access_log , and errors are in the error_log .
• / var / log / lighthttpd / - Lighttpd web server log.

Graphic application logs, DE, can be located in the user's home directory.

• ~ / .xsession-errors - Output stderr X11 graphics applications.

 Initializing "kcm_input" : "kcminit_mouse" Initializing "kcm_access" : "kcminit_access" Initializing "kcm_kgamma" : "kcminit_kgamma" QXcbConnection: XCB error: 3 (BadWindow), sequence: 181, resource id: 10486050, major code: 20 (GetProperty), minor code: 0 kf5.kcoreaddons.kaboutdata: Could not initialize the equivalent properties of Q*Application: no instance (yet) existing. QXcbConnection: XCB error: 3 (BadWindow), sequence: 181, resource id: 10486050, major code: 20 (GetProperty), minor code: 0 Qt: Session management error: networkIdsList argument is NULL 

• ~ / .xfce4-session.verbose-log - XFCE4 desktop messages.

What to view - lnav

Almost everyone knows about the less utility and the tail -f command. Also for these purposes, the vim editor and the Midnight Commander file manager will fit. Everyone has their drawbacks: less doesn’t handle long-line journals, taking them as binary. Midnight Commander is suitable only for a quick look, when there is no need to search for a complex pattern and move back and forth between matches. The vim editor understands and highlights the syntax of many formats, but if the log is updated frequently, then there are distracting messages about changes in the file. However, this can be easily circumvented with <:view /path/to/file> .

Recently, I discovered another valid and promising, but slightly still damp, utility - lnav , in decryption of the Log File Navigator.

Install the package as usual with one command.

 $ aptitude install lnav #Debian/Ubuntu/LinuxMint $ yum install lnav #RedHat/CentOS $ dnf install lnav #Fedora $ emerge -av lnav #Gentoo,     package.accept_keywords $ yaourt -S lnav #Arch 

The log navigator lnav understands a number of file formats.

• Access_log web server.
• CUPS page_log
• Syslog
• glog
• dpkg.log
• strace
• Random records with time stamps
• gzip, bzip
• VMWare ESXi / vCenter Log

What does understanding file formats mean in this case? The trick is that lnav is more than a utility for viewing text files. The program can do something else. You can open multiple files at once and switch between them.

 (5:471)$ sudo lnav /var/log/pm-powersave.log /var/log/pm-suspend.log 

The program can directly open the archive file.

 (5:471)$ lnav -r /var/log/Xorg.0.log.old.gz 

Displays a histogram of informative messages, warnings, and errors when you press the <i> key. This is from my syslog.

 Mon May 02 20:25:00 123 normal 3 errors 0 warnings 0 marks Mon May 02 22:40:00 2 normal 0 errors 0 warnings 0 marks Mon May 02 23:25:00 10 normal 0 errors 0 warnings 0 marks Tue May 03 07:25:00 96 normal 3 errors 0 warnings 0 marks Tue May 03 23:50:00 10 normal 0 errors 0 warnings 0 marks Wed May 04 07:40:00 96 normal 3 errors 0 warnings 0 marks Wed May 04 08:30:00 2 normal 0 errors 0 warnings 0 marks Wed May 04 10:40:00 10 normal 0 errors 0 warnings 0 marks Wed May 04 11:50:00 126 normal 2 errors 1 warnings 0 marks 

In addition, syntax highlighting, tab addition and various utilities in the status line are supported. The disadvantages include unstable behavior and freezes. I hope lnav will be actively developed, a very useful program in my opinion.

Used materials

1. lnav - An Advanced Log File viewer for Linux
2. What are linux logs? How to View Them, Most Important Directories, and More
3. How to view logs in Linux