Where Can I Find Linux Error Logs?
Linux logs are one of the great things that make this OS so attractive. As logging process is being handled by
klogd (for Kernel messages logging) daemons, which track and write all important messages to the log files, logs help system administrators to troubleshoot and fix the problems with ease.
First thing that all system administrators must know is the location of their system log files. Linux log messages are located in
Here are all log files that come with a plain installation of CentOS 6:
messages– global system messages.
dmesg– messages of Kernel ring buffer.
auth.log– user logins and authentication messages.
boot.log– information that is logged when the system boots.
daemon.log– information logged by various background daemons that run on the system.
dpkg.log– information that is logged when a package is installed or removed using dpkg command.
kern.log– information logged by the kernel.
lastlog– recent login information for all the users.
maillogor mail.log – log information from the mail server that is running on the system.
user.log– information about all user level logs.
Xorg.x.log– log messages from the X.
alternatives.log– information by the update-alternatives is logged into this log file. On Ubuntu, update-alternatives maintain symbolic links determining default commands.
btmp– information about failed login attempts.
cups– all printer and printing related log messages
anaconda.log– Linux installation log messages.
yum.log – information about yum usage.
cron– information about cron jobs.
secure– information related to authentication and authorization privileges.
wtmp or utmp– login records. Using wtmp you can find out who is logged into the system.
faillog– user failed login attempts.
All these logs can be checked with
cat commands. For example, if John is having difficulties with e-mail on your server, you should check maillog (grep command excludes all entries that does not contain word John):
Or you can tail log file if you want see real-time activity:
Bigger systems save many records that need to be archived, so you may notice log files are archived in gzip format, for example
iptables.log.2.gz. Good thing is that you don’t have to extract this file before reading – you can use
zmore commands instead.
Also, you may notice that there are folders in your server’s
/var/log directory. These directories are created by the applications that are installed on your server:
httpd or apache2– access and error logs of Apache.
lighttpd– access and error logs of light http software.
audit– logs information stored by the Linux audit daemon.
Setroubleshoot– SELinux uses setroubleshoot daemon, which stores information in this specific directory.
As you have already understood – the service which is responsible for storing the information is
rsyslog daemon and you can configure it to fit your needs by editing its configuration file.
It is located in
/etc/ folder in most of Linux operating systems.
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
# The authpriv file has restricted access.
# Log all the mail messages in one place.
# Log cron stuff
# Everybody gets emergency messages
# Save news errors of level crit and higher in a special file.
# Save boot messages also to boot.log
There are 10 types of facilities recognized by Linux:
cron– clock daemons (atd and crond).
daemon– other daemons.
kern– kernel messages.
local[0-7]– reserved for local use.
lpr– printing system.
news– news system.
syslog– internal syslog messages.
user– generic user level messages.
And priorities as follows in ascending order:
info– general informative messages.
notice– normal, but significant, condition.
warning– warning messages.
err– error condition.
crit– critical condition.
alert– immediate action required.
emerg– system no longer available.
There are three operators which define rules in Syslog configuration:
! – do not log the exact priority.
= – log only the exact priority.
And you can also use
facility.none for non logging rule. Rules must be separated by semicolons (;).
Here are some examples of
It means that all informational or higher priority messages from all facilities, except from mail, authorization and cron will be stored in /var/log/messages file.
As you may already know –
facility.priority) means that none of mail messages goes to this log file.
The rules above mean that all kernel messages will be logged, except messages with priority debug will be logged in
This rule means that only mail messages with info priority will be logged in
That’s about it. Happy logging!