Linux Log Files

The most important activities that take place on your Linux system are recorded in log files. There are many log files on your Linux system. One of the most important is syslog, which is the system event logger used by many programs to perform logging.

syslog supports message sorting that allows a given message to be sorted by its importance and source and then sent to the appropriate destination. syslog consists of the syslogd (the logging daemon), openlog, which is a series of library routines the submit messages to syslogd, and logger, a user-level command that submits log entries from the shell. syslogd is started at boot time. If you want to see it running on your system, use the ps command to display all the processes running on your system.

To specify the file in which specific log entries will be placed, use /etc/syslog.conf. The general format of this file is to have a selector field and an action field. Both fields have several sub-levels. For instance, the selector field can have levels that go from informational (info) all the way to emergencies (emerg). The action field can go from the file to which messages are written (filename) to writing messages to the screen of all users (*), if there is an important message to send.

The following is the /etc/syslog.conf file from our Integrity server:

 # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.*                                               /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;news.none;authpriv.none;cron.none              /var/log/messages # The authpriv file has restricted access. authpriv.*                                              /var/log/secure # Log all the mail messages in one place. mail.*                                                  /var/log/maillog # Log cron stuff cron.*                                                  /var/log/cron # Everybody gets emergency messages *.emerg                                                 * # Save news errors of level crit and higher in a special file. uucp,news.crit                                          /var/log/spooler # Save boot messages also to boot.log local7.*                                               /var/log/boot.log # # INN # news.=crit                                       /var/log/news/news.crit news.=err                                        /var/log/news/news.err news.notice                                      /var/log/news/news.notice 

You can see from this file that kernel-related messages are sent to the console, mail-related messages are sent to /var/log/maillog, cron-related messages are sent to /var/log/cron, and so on.

In the previous listing, you can see that all the log files on the system are in /var/log, which is the most common location for log files. The following is a long listing of the /var/log directory of the Integrity server:

 # ls -l /var/log total 3664 -rw-r-----    1 root     root         1425 Jan 28 20:08 acpid -rw-------    1 root     root         9222 Jan 28 20:09 boot.log -rw-------    1 root     root         8667 Jan 24 22:15 boot.log.1 -rw-------    1 root     root        12593 Jan 24 16:58 boot.log.2 -rw-------    1 root     root       750359 Jan 29 17:00 cron -rw-------    1 root     root       305847 Jan 26 04:02 cron.1 -rw-------    1 root     root       207252 Jan 24 17:03 cron.2 -rw-r--r--    1 root     root        12034 Jan 28 20:08 dmesg drwxr-xr-x    2 root     root         4096 Jun 24  2001 fax drwxr-xr-x    2 root     root         4096 Jan 16 16:41 gdm drwxr-xr-x    2 root     root         4096 Jun 24  2002 httpd drwx------    2 root     root         4096 Feb 22  2002 iptraf -rw-r--r--    1 root     root          442 Jan 28 20:08 iscsi.log drwxr--r--    2 junkbust junkbust     4096 Jul  7  2001 junkbuster -rw-r--r--    1 root     root        79506 Jan 28 20:08 ksyms.0 -rw-r--r--    1 root     root        79506 Jan 28 19:41 ksyms.1 -rw-r--r--    1 root     root        79506 Jan 28 19:20 ksyms.2 -rw-r--r--    1 root     root        79506 Jan 28 19:06 ksyms.3 -rw-r--r--    1 root     root        79506 Jan 24 22:15 ksyms.4 -rw-r--r--    1 root     root        79506 Jan 24 20:07 ksyms.5 -rw-r--r--    1 root     root        79506 Jan 24 18:38 ksyms.6 -rw-r--r--    1 root     root     19398360 Jan 29 01:05 lastlog -rw-------    1 root     root         7665 Jan 29 16:08 maillog -rw-------    1 root     root         3104 Jan 26 04:02 maillog.1 -rw-------    1 root     root         1716 Jan 24 16:58 maillog.2 drwxrwsr-x    2 root     mailman      4096 Jan 26 04:02 mailman -rw-------    1 root     root       263224 Jan 29 04:03 messages -rw-------    1 root     root       123647 Jan 25 04:03 messages.1 -rw-------    1 root     root       173869 Jan 24 16:58 messages.2 -rw-r-----    1 mysql    mysql           0 Jan 26 04:02 mysqld.log -rw-r-----    1 mysql    mysql           0 Jan 24 17:03 mysqld.log.1 -rw-r--r--    1 root     root            0 Jan 16 11:32 mysqld.log.2 drwxr-xr-x    3 news     news         4096 Jan 16 10:54 news -rw-------    1 root     root       177984 Jan 29 17:00 pacct -rw-------    1 root     root        95922 Jan 29 04:02 pacct.1.gz -rw-------    1 root     root        29079 Jan 28 04:02 pacct.2.gz -rw-------    1 root     root        50909 Jan 27 04:02 pacct.3.gz -rw-------    1 root     root        29069 Jan 26 04:02 pacct.4.gz -rw-------    1 root     root        91306 Jan 25 04:02 pacct.5.gz -rw-------    1 root     root        50800 Jan 24 17:03 pacct.6.gz -rw-------    1 root     root        89431 Jan 17 04:02 pacct.7.gz -rwx------    1 postgres postgres        0 Jan 16 10:54 pgsql drwxrwxr-x    2 piranha  root         4096 Jan 16 11:26 piranha -rw-r--r--    1 root     root        28991 Jan 29 04:02 rpmpkgs -rw-r--r--    1 root     root        28991 Jan 25 04:02 rpmpkgs.1 -rw-r--r--    1 root     root        28991 Jan 17 04:02 rpmpkgs.2 drwxr-xr-x    2 root     root         4096 Jan 29 04:03 sa drwx------    2 root     root         4096 Sep 18  2001 samba -rw-------    1 root     root            0 Sep  6  2001 savacct -rw-------    1 root     root         1473 Jan 29 01:05 secure -rw-------    1 root     root         1857 Jan 24 22:15 secure.1 -rw-------    1 root     root         1393 Jan 24 16:58 secure.2 -rw-------    1 root     root            0 Jan 26 04:02 spooler -rw-------    1 root     root            0 Jan 24 17:03 spooler.1 -rw-------    1 root     root            0 Jan 16 10:42 spooler.2 drwxr-x---    2 squid    squid        4096 Jun 27  2002 squid -rw-------    1 root     root            0 Sep  6  2001 usracct drwxr-xr-x    2 uucp     uucp         4096 Jan 16 11:35 uucp drwxr-xr-x    2 root     root         4096 May 21  2002 vbox -rw-rw-r--    1 root     utmp       206400 Jan 29 01:05 wtmp -rw-------    1 root     root            0 Jan 26 04:02 xferlog -rw-------    1 root     root            0 Jan 24 17:03 xferlog.1 -rw-------    1 root     root            0 Jan 16 10:54 xferlog.2 -rw-r--r--    1 root     root       112525 Jan 28 21:34 XFree86.0.log drwxr-x---    2 root     root         4096 Aug  2 14:24 zebra # 

Most of the log files in this directory are ASCII files that can be viewed or edited as text files. Because wtmp contains a list of logins and logouts for users and is a binary file, you must use a command that can interpret it. In the following example, last -20 shows the last 20 lines in the file. As you can see, the last command decodes the information in this file:

 # last -20 root   pts/0         pal2nai168208.ns Wed Jan 29 01:05 still logged in rootroot   pts/1         atl2nai162053.ss Tue Jan 28 21:19 - 21:23  (00:04) root   pts/2         :0               Tue Jan 28 21:11 - 21:34  (00:23) root   pts/0         :0               Tue Jan 28 20:09 - 21:34  (01:24) root   :0                             Tue Jan 28 20:09 - 21:34  (01:25) root   :0                             Tue Jan 28 20:09 - 20:09  (00:00) reboot   system boot   2.4.18-e.12smp   Tue Jan 28 20:08          (20:54) root   pts/0         :0               Tue Jan 28 19:43 - down   (00:23) root   :0                             Tue Jan 28 19:42 - down   (00:23) reboot   system boot  2.4.18-e.12smp   Tue Jan 28 19:41           (00:24) root   pts/0        :0               Tue Jan 28 19:21 - down    (00:18) root   :0                            Tue Jan 28 19:21 - down    (00:18) reboot   system boot  2.4.18-e.12smp   Tue Jan 28 19:20           (00:19) root   pts/0        :0               Tue Jan 28 19:08 - down    (00:10) root   :0                            Tue Jan 28 19:07 - down    (00:10) reboot   system boot  2.4.18-e.12smp   Tue Jan 28 19:06           (00:11) root   pts/1        :0               Tue Jan 28 16:44 - 19:04   (02:20) root   pts/0        :0               Tue Jan 28 16:19 - 19:04   (02:44) root   :0                            Tue Jan 28 16:18 - down    (02:46) reboot   system boot  2.4.18-e.12smp   Fri Jan 24 22:15          (3+20:49) wtmp begins Thu Jan 16 16:40:37 2003 # 

This example shows the last 20 entries in wtmp including reboots.

Most of the files are automatically "rotated" meaning that the newest files have an extension of 1 and the oldest files have an extension with a higher number.

Notice in the long listing of /var/log that some subdirectories for some applications such as samba. Many log files that are in the /var/log/samba directory on the IA-32 system are used in the Samba chapter, as shown in the following long listing:

 # ll /var/log/samba total 53 -rw-r--r--    1 root     root             0 Jun 15 11:15 f4412bfg.log -rw-r--r--    1 root     root             0 Aug 17 04:03 f4457mxp.log -rw-r--r--    1 root    root           118 Aug 17 04:03 f4457mxp.log.1 -rw-r--r--    1 root     root           235 Jul 22 04:03 f4457mxp.log. -rw-r--r--    1 root    root           664 Jun 23 04:03 f4457mxp.log.3 -rw-r--r--    1 root     root             0 Jun 21 12:22 linuxdev.log -rw-r--r--    1 root     root         25738 Aug 17 04:03 log.nmbd -rw-r--r--    1 root     root          5069 Aug 16 08:36 log.smbd -rw-r--r--    1 root     root           411 Aug 15 17:40 nmbd.log -rw-r--r--    1 root     root           209 Aug 11 04:03 nmbd.log.1 -rw-r--r--    1 root     root           460 Aug 10 10:30 nmbd.log.2 -rw-r--r--    1 root     root           158 Jul 28 04:03 nmbd.log.3 -rw-r--r--    1 root     root            79 Jul 21 04:03 nmbd.log.4 -rw-r--r--    1 root     root           130 Aug 17 04:03 smbd.log -rw-r--r--    1 root     root            65 Aug 11 04:03 smbd.log.1 -rw-r--r--    1 root     root           130 Aug 10 10:30 smbd.log.2 -rw-r--r--    1 root     root           130 Jul 28 04:03 smbd.log.3 -rw-r--r--    1 root     root            65 Jul 21 04:03 smbd.log.4 -rw-r--r--    1 root     root             0 Aug 10 10:30 smbmount.log -rw-r--r--    1 root    root          1224 Aug 10 10:30 smbmount.log.1 -rw-r--r--    1 root    root           135 Jul 29 04:03 smbmount.log.2 -rw-r--r--    1 root    root           402 Jul 21 04:03 smbmount.log.3 -rw-r--r--    1 root    root          3405 Jun 30 04:03 smbmount.log.4 

If all these files were to be placed in the /var/log directory, it would become too crowded, so the subdirectory is produced for samba.

A large number of log files are in /var/log. You may want to take a look at some of these. For example, the boot.log file contains a history of the significant commands that you've issued and dmesg provides a dump of the kernel message buffer. Many others can give you insight into your system operation.

Sometimes, log files can be very long. When they are, it is a good idea to try searching (grep) for what you need. In the following example, you copy the output of dmesg to the screen (cat dmesg). This is a long file, so before it displays, you have used grep to search for the three-letter string, CPU, in the output:

 # cat dmesg | grep CPU CPU   0:   mapping   PAL   code   [0x3ff40000-0x3ff80000)   into   [0xe00000003f000000-  0xe000000040000000) CPU 0: 61 virtual and 50 physical address bits CPU 0 (0x0000) enabled (BSP) CPU 1 (0x0100) enabled 2 CPUs available, 2 CPUs total CPU 0: base freq=200.000MHz, ITC ratio=10/2, ITC freq=1000.000MHz CPU   1:   mapping  PAL    code  [0x3ff40000-0x3ff80000)   into    [0xe00000003f000000-0xe000000040000000) CPU 1: 61 virtual and 50 physical address bits CPU 1: synchronized ITC with CPU 0 (last diff 0 cycles, maxerr 451 cycles) CPU 1: base freq=200.000MHz, ITC ratio=10/2, ITC freq=1000.000MHz CPU1: CPU has booted. # 

The two CPUs and information associated with them are shown in the output, including the 1 GHz frequency. Next, use grep to look for hpzx1 in the output:

 # cat dmesg | grep hpzx1 booting generic kernel on platform hpzx1 hpzx1: HWP0001 SBA at 0xfed00000; pci dev 00:1e.0 hpzx1: HWP0001 IOC at 0xfed01000; pci dev 00:1d.0 hpzx1: HWP0002 PCI LBA _BBN 0x00 at 0xfed20000; pci dev 00:1c.0 hpzx1: HWP0002 PCI LBA _BBN 0x20 at 0xfed22000; pci dev 20:1e.0 hpzx1: HWP0002 PCI LBA _BBN 0x40 at 0xfed24000; pci dev 40:1e.0 hpzx1: HWP0002 PCI LBA _BBN 0x60 at 0xfed26000; pci dev 60:1e.0 hpzx1: HWP0002 PCI LBA _BBN 0x80 at 0xfed28000; pci dev 80:1e.0 hpzx1: HWP0002 PCI LBA _BBN 0xc0 at 0xfed2c000; pci dev c0:1e.0 hpzx1: HWP0002 PCI LBA _BBN 0xe0 at 0xfed2e000; pci dev e0:1e.0 # 

This output shows information related to the hpzx1 chipset. This chipset provides high bandwidth and low latency solution for one to four-way workstations and servers such as the two-way rx2600 used in the example.

I check log files on an as-needed basis, but many system administrators review the log files frequently to look for potential problems in an effort to be proactive.