Logs are extremely useful when troubleshooting system, application or network problems. Information captured in log files may also be analyzed to uncover patterns that can help you make informed decisions as a system admin.
Most Linux log files are stored in a plain ASCII text file and are in the /var/log directory and subdirectory. Logs are generated by the Linux system daemon log, syslogd or rsyslogd.
You need be the root user to view or access log files on Linux or Unix like operating systems.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to troubleshoot Server problem via the log files in the system.
In this context, we shall look into how you can view standard log files on Ubuntu Linux servers.
On Ubuntu Linux servers, logs are normally stored in plain text format. Hence, it is important that you know the following basic Linux commands for moving around the filesystem and working with text files via the Ubuntu terminal.
1. cd – change directory
2. ls – display the contents of a directory
3. cp – copy files or folders
4. mv – rename/move files or folders
5. nano – console-based text editor
6. less – view the content of a text file one page at a time
7. head – display the first 10 lines of a text file
8. tail – view the last 10 lines of a text file
9. grep – search for specific keywords in a text file or output data
10. zcat – Displays all the contents of logfile.gz
11. zmore – See the file in pages, without decompressing the files
12. zgrep – Search inside a compressed file
13. head – View the very beginning of text files
Basically, log files are stored under the /var/log directory on Ubuntu servers.
Run the command below to change the directory to /var/log:
$ cd /var/log
Now, you may list the content of /var/log as follows:
The /var/log directory contains several log files that can be broadly categorized into system logs and application logs.
Logs can tell a lot about the operations of a system. A good understanding of each type of file will help how to distinguish the respective logs.
Most directories can be grouped into one of four categories:
1. System Logs
2. Event Logs
3. Application Logs
4. Service Logs
Many of these logs can be located in the var/log subdirectory.
Systems log files are needed for Linux to work. On its own, it contains the most significant amount of information about system functionality. Basically, System logs contain information about the operation of the Ubuntu system; including authorization logs, kernel logs, kernel ring buffer, and general system events.
The most common log files are:
1. /var/log/boot.log: System Boot log (the boot log stores all information related to booting operations)
2. /var/log/auth.log: Auth logs (the authentication log stores all authentication logs, including successful and failed attempts)
3. /var/log/httpd/: Apache access and error logs
4. /var/log/mysqld.log: MySQL database server log file
5. /var/log/debug: Debug logs (the debug log stores detailed messages related to debugging and is useful for troubleshooting specific system operations)
6. /var/log/daemon.log: Daemon logs (the daemon log contains information about events related to running the Linux operation)
7. /var/log/maillog: Mail server logs (the mail log stores information related to mail servers and archiving emails)
8. /var/log/kern.log: Kernel logs (the kernel log stores information from the Ubuntu Linux kernel)
9. /var/log/yum.log: Yum command logs
A daemon log is a program that runs in the background and is essential for system operations. These logs have their own category of logs and are seen as the heart of the logging operations for any system.
The path for the system login daemon's configuration is /etc/syslog.conf.
Each file consists of a selector and an action entry field.
The syslogd daemon can forward log messages as well. This can be useful for debugging purposes.
Several applications store log information under /var/log. For example, in figure 1 above, the clamav directory contains log files pertaining to the ClamAV anti-malware application.
Here are some examples of popular applications or services and where their log information is stored:
Apache web server logs - /var/log/apache2
NGINX web server logs - /var/log/nginx
Printing system (CUPS) logs - /var/log/cups
Authorization logs are stored in /var/log/auth.log. This is where you will find information about user authorization attempts; including the use of the sudo command.
You may run the command below to inspect the content of the auth.log file:
$ sudo less /var/log/auth.log
Note: Hit the spacebar on your keyboard to scroll from page to page. Press q to exit.
You could also use the grep command to filter the information in the logs.
Here is an example:
$ sudo less /var/log/auth.log | grep linuxapt
The information in the sample output below indicates that there was a successful remote login to my Ubuntu server via ssh by user linuxapt:
Feb 1 15:44:24 Ubuntu sshd: Accepted publickey for linuxapt from 18.104.22.168 port 35233 ssh2: RSA SHA256:B3zi4x3gdF89wm0GZw+fsAkhckLEsx8fJ0GJiU80CXH
Feb 1 15:44:24 Ubuntu sshd: pam_unix(sshd:session): session opened for user linuxapt by (uid=0)
Feb 1 15:44:24 Ubuntu systemd-logind: New session 2 of user linuxapt.
Feb 1 15:44:24 Ubuntu systemd: pam_unix(systemd-user:session): session opened for user linuxapt by (uid=0)
Kernel logs are held in /var/log/kern.log. This information is useful for troubleshooting kernel errors.
The kernel controls everything in the operating system; including process management, memory management and device management.
Use the following command to display the content of the kern.log file one page at a time:
$ sudo less /var/log/kern.log
Or try this to display the first 10 lines of the kern.log file:
$ sudo head /var/log/kern.log
Find specific information in kern.log:
$ grep memory /var/log/kern.log
The kernel ring buffer holds kernel hardware information. The information is logged in /var/log/dmesg and can be displayed by using the dmesg command.
This information includes all detected devices at system boot time.
You can use this to troubleshoot issues with server hardware components.
Run the command below to view the entire content of the kernel ring buffer:
Try the next command to display the last 10 lines of the kernel ring buffer:
$ dmesg | tail
Or filter for specific keywords using grep:
$ dmesg | grep cpu
Here, we are going to talk about syslog and journalctl.
Syslog is a logging mechanism that stores general system events in /var/log/syslog. The information stored here may include events that you may not find in other log files.
Run the command below to display the content of the syslog file page by page:
$ sudo less /var/log/syslog
You could also search for specific keywords using the grep command as follows:
$ sudo grep failed /var/log/syslog
The journalctl command simplifies the process of examining server logs. Rather than look through individual log files, you could use journalctl to quickly find and filter the information that you need.
The command below displays all log entries from oldest to newest:
The next command shows warning messages:
$ journalctl -p warning
You can display only kernel messages as follows:
$ journalctl --dmesg
You can search for specific keywords by combining the grep command and view results page by page using less:
$ journalctl | grep ssh | less
View log information since a specific date:
$ journalctl --since=2021-02-01
Or view log information since a specific time:
$ journalctl --since=12:00
You could also type journalctl and then press the tab key on your keyboard to see available options.
System Log Viewer is a GUI that can be used to monitor system logs.
The interface provides several functions for managing logs, including a log statistics display. It is a user-friendly log monitoring GUI.
Useful features include:
i. A live view of logs
ii. Number of lines in the log
iii. Log size
iv. Most recent log dates
v. Modifications made to logs
vii. Keyboard Shortcuts
Alternatively, use Xlogmaster which can monitor a considerable number of log files.
It features three different modes:
1. Run mode: Starts a specified program and obtains stdout
2. Cat mode: Cats files within specified intervals
3. Tail mode: Checks log files within regular intervals
Xlogmaster is useful for increasing security.
It translates all data for highlighting, hiding lines, and displays this information for taking user requested action.
Some log files such as lastlog, wtmp may not be directly read by humans.
The following is a brief explanation of what type of information these files contain and how you can view it.
The information held in /var/log/lastlog pertains to users and their most recent login to the Ubuntu server. You would need to use the lastlog command to access it as follows:
The var/log/wtmp file holds comprehensive login records.
Run the last command to display a list of last logged in users. You may also see information about system boot/reboot:
Run the who command to see who is currently logged in:
The w command shows you who is currently logged in and what they are doing on the Ubuntu server:
This article covers how to view standard log files for troubleshooting any Linux system. Linux system administrators often need to look at log files for troubleshooting purposes.
Linux and the applications that run on it can generate all different types of messages, which are recorded in various log files. Linux uses a set of configuration files, directories, programs, commands and daemons to create, store and recycle these log messages.
Knowing where the system keeps its log files and how to make use of related commands can therefore help save valuable time during troubleshooting.
To view log files on Linux:
Open the Terminal or login as root user using ssh command.
Go to /var/log directory using the following cd command:
# cd /var/log
To list files use the following ls command:
To Configure Log Files on Ubuntu and CentOS:
This section explains different mechanisms for configuring log files. Let's start with a CentOS example.
To view users currently logged onto a Linux server, enter the who command as a root user:
This also lists the login history of users.
To view the login history of the system administrator, enter the following command:
$ last reboot
To view information of the last login, enter:
To Execute Log Rotation on Linux:
Log files that have zeroes appended at the end are rotated files. That means log file names have automatically been changed within the system.
The purpose of log rotation is to compress outdated logs that are taking up space. Log rotation can be done using the logrotate command. This command rotates, compresses, and mails system logs.
logrotate handles systems that create significant amounts of log files. The command is used by the cron scheduler and reads the logrotate configuration file /etc/logrotate.conf. It's also used to read files in the logrotate configuration directory.