Linux Log files which we must be monitoring

Reading Time: 4 minutes

What are Linux logs files

Basically, log files are a set of records that Linux maintains these logs for the administrators to keep track of important events. These logs contain messages about the server, kernel, services, and applications running on the system. 

Linux provides a centralized repository of log files to track all of the important events that can be located under the  /var/log directory.

In a Linux environment, we have four types of log files that are generated:

  • Application Logs
  • Event Logs
  • Service Logs
  • System Logs

Why we need to monitor Linux log files

Log plays an important role in the system and log management is an integral part of any server administrator’s responsibility.

We can gain a detailed insight on server performance, security, error messages, and underlying issues by monitoring Linux log files.

In short, log files allow you to anticipate upcoming issues before they actually occur. 

Which Linux log files to monitor

No doubt, monitoring and analyzing all of them can be a challenging task.

The volume of logs can sometimes make it frustrating just to find the right file that contains the required information. We can have look at these logs when we are facing some basic problems:

# /var/log/syslog

Why this log?

  • This log file contains generic system activity logs.
  • This location is use for Debian-based systems.
  • It is mainly used to store informational and non-critical system messages.

How can I use these logs?

  • This should be the first log file that the Linux administrators must check if something goes wrong.
  • Here we can track non-kernel boot related errors, application-related service errors and the messages that are logged during system startup.
  • For example, if we are facing some kind of issues with the sound card. To check if something went wrong during the system startup process then You can check this log file. 

# /var/log/auth.log

Why this log?

  • In Debian and Ubuntu, All authentication related events in server are logged here.
  • If you’re looking for anything that is involving the user authorization process, we can find it in this log file.

How can I use these logs?

Suspect that there might have been a security breach in your server? Notice some suspicious javascript file where it shouldn’t be? If so, then find this log file asap.

  • We can Investigate failed login attempts
  • Also we can Investigate brute-force attacks and other vulnerabilities related to user authorization mechanism.

# /var/log/boot.log

Why this log?

  • The system initialization script, /etc/init.d/bootmisc.sh, sends all bootup messages to this log file.
  • This is the repository of booting related information.

How can I use these logs?

  • You should check this log file. If you are facing improper shutdown, unplanned reboots or booting failures.
  • It can also be useful to determine the duration of system downtime caused by an unexpected shutdown.

# /var/log/dmesg

Why this log?

  • This log file contains Kernel ring buffer messages.
  • It contains the Information related to hardware devices and their drivers which are logged here.
  • This log files contains the information of devices. That are detects physical hardware devices associated with the server during the booting process by the kernel. It captures the device status, hardware errors and other generic messages.

How can I use these logs?

  • This log file is useful for dedicated server customers mostly.
  • If a certain hardware is functioning improperly or not getting detected. So you can rely on this log file to troubleshoot the issue.

# /var/log/kern.log

Why this log?

This is a very important log file as it contains information logged by the kernel.

How can I use these logs?:

  • It is perfect for troubleshooting kernel related errors and warnings.
  • Kernel logs can be helpful to troubleshoot a custom-built kernel.
  • This logs can be use to debugging hardware and connectivity issues.

# /var/log/faillog

Why this log?

This file contains information on failed login attempts.

How can I use these logs?:

It can be a useful log file to find out any attempted security breaches. Like involving username/password hacking or brute-force attacks.

Conclusion

After knowing about all the stuff, We can easily identify the error or problem with our booting, authentication, or many more.

Reference – https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/#faillog

Written by 

Mohd Muzakkir Saifi is a Software Intern at Knoldus Software. He loves to take deep dives into cloud technologies & different tools. His hobbies are playing gymnastics and traveling.