We use cookies to improve our services and provide a better experience. By continuing to use this site, you agree with our Cookies Policy.

More than 400 step-by-step articles to guide you through online project development.
HomeTutorialsOperating SystemsLinuxAdministration

Where Can I Find Linux Error Logs?

Linux logs are one of the great things that make this OS so attractive. As logging process is being handled by syslog and klogd (for Kernel messages logging) daemons, which track and write all important messages to the log files, logs help system administrators to troubleshoot and fix the problems with ease.

Follow These Steps to Find Linux Error Logs and More

First thing that all system administrators must know is the location of their system log files. Linux log messages are located in /var/log directory.

cd /var/log
ls -al

Here are all log files that come with a plain installation of CentOS 6:

messages – global system messages.
dmesg – messages of Kernel ring buffer.
auth.log – user logins and authentication messages.
boot.log – information that is logged when the system boots.
daemon.log – information logged by various background daemons that run on the system.
dpkg.log – information that is logged when a package is installed or removed using dpkg command.
kern.log – information logged by the kernel.
lastlog – recent login information for all the users.
maillog or mail.log – log information from the mail server that is running on the system.
user.log – information about all user level logs.
Xorg.x.log – log messages from the X.
alternatives.log – information by the update-alternatives is logged into this log file. On Ubuntu, update-alternatives maintain symbolic links determining default commands.
btmp – information about failed login attempts.
cups – all printer and printing related log messages
anaconda.log – Linux installation log messages.
yum.log – information about yum usage.
cron – information about cron jobs.
secure – information related to authentication and authorization privileges.
wtmp or utmp – login records. Using wtmp you can find out who is logged into the system.
faillog – user failed login attempts.

All these logs can be checked with less, more, tail and cat commands. For example, if John is having difficulties with e-mail on your server, you should check maillog (grep command excludes all entries that does not contain word John):

less maillog | grep John

Or you can tail log file if you want see real-time activity:

tail –f maillog | grep John

Bigger systems save many records that need to be archived, so you may notice log files are archived in gzip format, for example iptables.log.2.gz. Good thing is that you don’t have to extract this file before reading – you can use zcat, zless or zmore commands instead.
Also, you may notice that there are folders in your server’s /var/log directory. These directories are created by the applications that are installed on your server:

httpd or apache2 – access and error logs of Apache.
lighttpd – access and error logs of light http software.
mail – additional log files are stored in this directory. For example sendmail stores information in this directory.
audit – logs information stored by the Linux audit daemon.
Setroubleshoot – SELinux uses setroubleshoot daemon, which stores information in this specific directory.

As you have already understood – the service which is responsible for storing the information is rsyslog daemon and you can configure it to fit your needs by editing its configuration file.
It is located in /etc/ folder in most of Linux operating systems.

nano /etc/rsyslog.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/messages
# The authpriv file has restricted access.
authpriv.* -/var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* -/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit -/var/log/spooler
# Save boot messages also to boot.log
local7.* -/var/log/boot.log

There are 10 types of facilities recognized by Linux:

authpriv – security / authorization messages.
cron – clock daemons (atd and crond).
daemon – other daemons.
kern – kernel messages.
local[0-7] – reserved for local use.
lpr – printing system.
mail – mail system.
news – news system.
syslog – internal syslog messages.
user – generic user level messages.

And priorities as follows in ascending order:

debug – debugging information.
info – general informative messages.
notice – normal, but significant, condition.
warning – warning messages.
err – error condition.
crit – critical condition.
alert – immediate action required.
emerg – system no longer available.

There are three operators which define rules in Syslog configuration:

* – log all facilities or/and priorities.
! – do not log the exact priority.
= – log only the exact priority.

And you can also use facility.none for non logging rule. Rules must be separated by semicolons (;).

Here are some examples of Syslog configuration:

*.info;mail.none;authpriv.none;cron.none -/var/log/messages

It means that all informational or higher priority messages from all facilities, except from mail, authorization and cron will be stored in /var/log/messages file.
As you may already know – mail.none (facility.priority) means that none of mail messages goes to this log file.

kern.*;kern.!debug /var/log/kern.log

The rules above mean that all kernel messages will be logged, except messages with priority debug will be logged in /var/log/kern.log file.

mail.=info -/var/log/maillog

This rule means that only mail messages with info priority will be logged in /var/log/maillog file.

That’s about it. Happy logging!

Rate this Tutorial:
No Comments

Other (3)

Popular Keywords