Introduction to Linux log files. System Syslog and logs logs in Linux Access log ubuntu how to open

All log files are located in /var/log directory. In that directory, there are specific files for each type of logs. For example, system logs, such as kernel activities are logged in syslog file.

Some of the most common log files in that directory is:

In directory apt there is a file history.log which saves all the package installation and removal information even the initial system build as Live CD. You can open this file to see this very interesting file.

In directory dist-upgrade there is a file apt.log which logs the information during distribution upgrades

In directory installer the log files which are created during installation can be found.

There is an apport.log file which saves information about crashes in your system and reporting them.

The file auth.log includes information about the authentication activities such as when you authenticate as root user via sudo.

The file dpkg.log saves the low level details of package installation and removal related to dpkg . You might be aware that the apt system depends on dpkg for package installation and removal.

boot.log includes information of each booting.

kern.log saves kernel information such as warnings, errors etc.

alternatives.log includes the history of all the alternatives set by various packages and their removal via update-alternatives command.

Another important log file is Xorg.log which include information about the graphics driver, its failures, warnings etc.

Some other types of Log files may be there depending on your installed packages. For example, My system also includes a log files epoptes.log which will only be there if you install epoptes package.

Changes after systemd

With the advent of systemd , logging is mostly handled by journalctl utility and store the logs in binary format in /var/lib/systemd/catalog/database file. This file enumerates all logs including kernel, boot and application logs and provides required logs via journalctl utility.

Here is a good article on journalctl on how you can use it to fetch required log info.

If you take up Linux administration, be prepared for the fact that viewing and analyzing log files will take up the lion's share of the time that you spend in the console. Log analysis is the main (and most often the only) way to understand the behavior of the server.

Often, the log contains thousands of lines, so moreover, it can increase by several more entries every second. And it is desirable to watch live, tracking the reaction to certain actions. Two utilities tail and less will help us here.

Viewing logs on Linux with tail .

tail (translated as tail) allows you to view the last 10 lines of a file. If you need more, just say so. For example, 25:

# tail -n 25 /var/log/httpd/error_log

[hc@host~] # tail -n 25 /var/log/httpd/error_log

Or you can simply:

# tail -25 /var/log/httpd/error_log

[hc@host~] # tail -25 /var/log/httpd/error_log

The second useful parameter that can be passed is -f . With this option, tail prints the specified number of last lines and continues to read the added lines until you press Ctrl+C - i.e. you can track changes in the log file live:

# tail -5f /home/sites/web/site.ru/logs/site.ru.log 178.45.0.0 - - "GET / HTTP/1.0" 200 17401 "http://site.ru/allsorts/" "Mozilla /5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A405 Safari/600.1.4" 217.118.0.0 - - "GET /allsorts HTTP/1.0" 301 - "http://site.ru/" 217.118.0.0 - - "GET /allsorts/ HTTP/1.0" 200 16663 "http://site.ru/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" 85.95.0.0 - - "GET / HTTP/1.0" 200 17401 "http://vk.com/away.php " "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36OPR/34.0.2036.50" 85.95.0.0 - - "GET /allsorts/ HTTP/1.0" 200 16663 "http://site.ru/" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36OPR/34.0.2036.50"

[hc@host~] # tail -5f /home/sites/web/site.ru/logs/site.ru.log 178.45.0.0 - - [ 23 / Jan / 2016 : 19 : 45 : 02 + 0300 ] "GET / HTTP/1.0" 200 17401 "http://site.ru/allsorts/" "Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A405 Safari/600.1.4" 217.118.0.0 - - [ 23 / Jan / 2016 : 19 : 46 : 34 + 0300 ] "GET /allsorts HTTP/1.0" 301 - "http://site.ru/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" 217.118.0.0 - - [ 23 / Jan / 2016 : 19 : 46 : 35 + 0300 ] "GET /allsorts/ HTTP/1.0" 200 16663 "http://site.ru/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" 85.95.0.0 - - [ 23 / Jan / 2016 : 19 : 47 : 34 + 0300 ] "GET /allsorts/ HTTP/1.0" 200 16663 "http://site.ru/" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36OPR/34.0.2036.50"

But the biggest convenience of tail is that multiple files can be passed as parameters, i.e. you can monitor multiple related log files at the same time:

# tail -f -n 5 -s 3 /home/sites/web/site.ru/logs/site.ru.log /var/log/httpd/domains/site.ru.error.log ==> /home/ sites/web/site.ru/logs/site.ru.log<== 37.113.0.0 - - "GET /wp-content/themes/bigroll/img/delivery-feature-6.png HTTP/1.1" 200 18165 "http://site.ru/delivery/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" 37.113.0.0 - - "GET /wp-content/themes/bigroll/img/delivery-truck.png HTTP/1.1" 200 15243 "http://site.ru/delivery/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" 37.113.0.0 - - "GET /wp-content/themes/bigroll/img/scooter-icon-small.png HTTP/1.1" 200 4322 "http://site.ru/delivery/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" 37.113.0.0 - - "GET /wp-content/themes/bigroll/img/link-button-shadow.png HTTP/1.1" 200 7792 "http://site.ru/delivery/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" 37.113.0.0 - - "GET /wp-content/themes/bigroll/img/header-bg.png HTTP/1.1" 200 194475 "http://site.ru/delivery/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" ==>/var/log/httpd/domains/site.ru.error.log<== client denied by server configuration: /home/sites/web/site.ru/public_html/xmlrpc.php client denied by server configuration: /home/sites/web/site.ru/public_html/xmlrpc.php client denied by server configuration: /home/sites/web/site.ru/public_html/xmlrpc.php client denied by server configuration: /home/sites/web/site.ru/public_html/xmlrpc.php client denied by server configuration: /home/sites/web/site.ru/public_html/xmlrpc.php

[hc@host~] # tail -f -n 5 -s 3 /home/sites/web/site.ru/logs/site.ru.log /var/log/httpd/domains/site.ru.error.log ==> /home/sites/web/site. ru/logs/site. ru. log<= = 37.113.0.0 - - [ 23 / Jan / 2016 : 19 : 55 : 45 + 0300 ] "GET /wp-content/themes/bigroll/img/delivery-feature-6.png HTTP/1.1" 200 18165 "http://site.ru/delivery/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" "GET /wp-content/themes/bigroll/img/delivery-truck.png HTTP/1.1" 200 15243 "http://site.ru/delivery/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" 37.113.0.0 - - [ 23 / Jan / 2016 : 19 : 55 : 46 + 0300 ] "GET /wp-content/themes/bigroll/img/scooter-icon-small.png HTTP/1.1" 200 4322 "http://site.ru/delivery/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" 37.113.0.0 - - [ 23 / Jan / 2016 : 19 : 55 : 46 + 0300 ] "GET /wp-content/themes/bigroll/img/link-button-shadow.png HTTP/1.1" 200 7792 "http://site.ru/delivery/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" 37.113.0.0 - - [ 23 / Jan / 2016 : 19 : 55 : 46 + 0300 ] "GET /wp-content/themes/bigroll/img/header-bg.png HTTP/1.1" 200 194475 "http://site.ru/delivery/" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1" ==> /var/log/httpd/domains/site. ru. error . log<= = [ Wed Jan 20 04 : 38 : 36 2016 ] [ error ] [ client 46.166.0.0 ] client denied by server configuration : / home / sites / web / site . en/public_html/xmlrpc. php [ Wed Jan 20 13:15:43 2016 ] [ error ] [ client 69.84.0.0 ] client denied by server configuration : / home / sites / web / site . en/public_html/xmlrpc. php [ Wed Jan 20 20:48:58 2016 ] [ error ] [ client 185.112.0.0 ] client denied by server configuration : / home / sites / web / site . en/public_html/xmlrpc. php [ Wed Jan 20 22:42:02 2016 ] [ error ] [ client 5.255.0.0 ] client denied by server configuration : / home / sites / web / site . en/public_html/xmlrpc. php

Please note that I used the -s 3 construction - using this key, the update interval is set in seconds, i.e. in this case, the files will be reread every 3 seconds.

Viewing logs on Linux with less .

For all its simplicity and convenience, tail has one significant drawback - it only shows the last lines and you do not have the opportunity to see what happened before these entries or at a certain point in time. For such situations, the less utility is better suited.

Let's open the file:

# less /var/log/httpd/domains/big-roll.ru.error.log

[hc@host~] # less /var/log/httpd/domains/big-roll.ru.error.log

As you can see, we can easily scroll through the contents of the file using the cursor arrows and the PgUp and PgDn keys.
A few more useful keys to remember:
q – output;
g - go to the beginning of the file;
G - go to the end of the file;
Ng - go to line N (for example, line 14 14g);
N% - move to position N% (for example, 35%);
F - switch to the file update tracking mode, i.e. similar to tail -f ;
/pattern - direct (down the file) search by pattern;
?pattern - reverse (up the file);
n is the next match of the search pattern;
N is the previous match;
Exit tracking mode Ctrl+C ;
You can see a complete list of all other keys and modes on your own - by pressing h - help (I strongly advise you to press).

Preceding the filename with a pipe character (|) will allow you to use fifo (first in - first out, first in, first out) or named pipe as a message receiver. Before starting (or restarting) syslogd, a fifo must be created using the mkfifo command. Sometimes fifo is used for debugging.

Terminal and console

Terminal such as /dev/console.

remote machine

To forward messages to another host, precede the host name with an at sign (@). Note that messages are not forwarded from the receiving host. (for this assignment to work on the client and server in the file /etc/services line must be written syslog 514/udp, and open UTP port 514)

a list of users

Comma-separated list of users receiving messages (if the user is logged in). This often includes the root user.

All registered users

To notify all registered users using the wall command, use the asterisk character (*).

An example of a simple syslog.conf:

# Print all kernel messages to the console. #kern.* /dev/console # All logs of info level or higher, except emails, and # don't log authentication messages and cron daemon messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # Log messages containing confidential # authentication information to a separate file, regardless of their level. authpriv.* /var/log/secure # All messages from the mail system are also written to a separate file. mail.* -/var/log/maillog # Log scheduler messages to file /var/log/cron cron.* /var/log/cron # Emergency messages should be received immediately # by all system users *.emerg * # Save messages news of crit level and above into a separate file. uucp,news.crit /var/log/spooler # Store boot messages in boot.log local7.* /var/log/boot.log

As with many configuration files, the syntax is:

• lines beginning with # and empty lines are ignored.
• The * symbol can be used to indicate all categories or all priorities.
• The special keyword none indicates that logging for this category should not be performed for this action.
• A hyphen before the file name (like -/var/log/maillog in this example) indicates that the log should not be synchronized after each write. In the event of a system crash, you may lose information, but disabling synchronization will improve performance.

In the syntax of the configuration file, you can put before the priority sign! to show that the action should not be applied, from this level and up. Similarly, the priority can be prefixed sign = to indicate that the rule only applies to that level, or != to show that the rule applies to all levels except this one. Below are a few examples (man syslog.conf you can find many more examples):

# Send all kernel messages to /var/log/kernel. # Send all critical and higher messages to the remote sysloger machine and console # Send all info, notice and warning messages to /var/log/kernel-info # kern.* /var/log/kernel kern.crit @sysloger kern .crit /dev/console kern.info;kern.!err /var/log/kernel-info # Send all mail system messages except info level to /var/log/mail. mail.*;mail.!=info /var/log/mail

I tried to show the work of syslogd as clearly as possible on the diagram:

Starting the syslogd daemon

The launch of the logging daemon is started at the stage of system initialization by means of a script /etc/rc.d/init.d/syslog, however, in order to set launch options, there is no need to modify this script - starting from version 7.2, launch options are read from a separate configuration file /etc/sysconfig/syslog (/etc/default/syslogin debian).

Here are some possible syslogd daemon startup parameters:

• -a /folder/socket- specifying an additional listening socket (do not forget to create a socket beforehand)
• -d- debug mode. In this case, the daemon does not go into the background and issues all messages to the current terminal;
• -f config-file-name. Specifies the name of an alternate configuration file to be used instead of the default /etc/syslog.conf;
• -l host-list- setting a list of hosts whose names should not be written with the full domain name (FQDN - Full Qwalified Domain Name);
• -m minutes- running without this option, sysklogd logs messages of category mark (time stamps) every 20 minutes. With the -m option, you can either change the interval between marks, or completely stop issuing such messages;
• -p socket- setting an alternative UNIX socket (instead of the default listening /dev/log);
• -r- permission to receive messages from remote hosts;
• -x- prohibition of determining the host name by its address to prevent freezing when working on the same host as the DNS server.
• -v- show version and finish work

After starting the syslogd daemon, a status file is created /var/lock/subsys/syslog zero length, and a file with process ID /var/run/syslogd.pid.

With the command
kill -SIGNAL `cat /var/run/syslogd.pid`

can be sent syslogd daemon one of the following signals: SIGHUP- restarting the daemon; SIGTERM- completion of work; SIGUSR1- enable/disable debug mode.

Actually, two logging daemons are launched in the system - syslogd and klogd. Both daemons are included in the package syslogd.

klogd daemon responsible for logging events that occur in system core. The need for a separate klogd daemon is because the kernel cannot use the standard syslog function. This is because the standard C libraries (including the library that contains the syslog function) are intended to be used only by common applications. Since the kernel also needs logging functions, it includes its own libraries that are not available to applications. Therefore, the kernel uses its own message generation mechanism.

klogd daemon designed to organize the processing of these messages. In principle, it can do this processing entirely on its own and independent of syslogd, such as writing these messages to a file, but in most cases the default klogd setting is used, in which all messages from the kernel are forwarded to the same syslogd daemon.

Automatic rotation (updating filled files) and archiving logs

Over time, the log file tends to grow, especially when a service is running intensively. Accordingly, it is necessary to be able to control the size of the logs. This is done using logrotate commands, which is usually performed cron daemon. I will talk about the work of cron in the following articles. the main objective logrotate commands is to periodically back up the logs and create new clean logs. Several generations of logs are saved and when the last generation log expires, it can be archived (compressed). The result can be sent by mail, for example, to the person responsible for archiving.

To determine the order of rotation and archiving of logs, use configuration file /etc/logrotate.conf . For different logs, you can set different periodicity, for example, daily, weekly or monthly, in addition, you can adjust the number of accumulated generations, as well as specify whether archive copies will be sent to the archive manager and, if so, when. Below is shown example /etc/logrotate.conf file:

# first set default parameters (global options) # update log files weekly weekly # store log archive for the last 4 weeks rotate 4 # create a new (empty) file after rotation (update) create # uncomment if you want saved files were compressed #compress # enable rotation settings from specified directory include /etc/logrotate.d # don't store wtmp, or btmp -- log data rotation settings are as follows: /var/log/wtmp ( missingok monthly create 0664 root utmp rotate 1 ) / var/log/btmp ( missingok monthly create 0664 root utmp rotate 1 ) # specific syslogs can be configured below

Global options are placed at the beginning file logrotate.conf. They are used by default unless something more specific is specified elsewhere. In the example, the logs are rotated weekly and backups are kept for four weeks. As soon as a journal is rotated, a new one is automatically created in place of the old journal. logrotate.conf file may contain specifications from other files. So, it includes all files from the directory /etc/logrotate.d.

This example also contains special rules for /var/log/wtmp and /var/log/btmp(storing information about successful and unsuccessful attempts to enter the system), the rotation of which occurs monthly. If the files are missing, no error message is issued. A new file is created and only one backup is kept.

In this example, when the backup reaches the last generation, it is deleted because it is not defined what to do with it.

Log backups can also be generated when the logs reach a certain size, and scripts can be generated from command sets to run before or after a backup operation. Example:

/var/log/messages ( rotate 5 mail [email protected] size 100k postrotate /usr/bin/killall -HUP syslogd endscript )

In this example the rotation /var/log/messages is produced when it reaches the size of 100 KB. Five backups are accumulated, and when the oldest backup expires, it is mailed to [email protected] The postrotate command word includes a script that restarts the syslogd daemon after rotation is complete by sending a HUP signal. The endscript command word is required to terminate the script, and also if there is a prerotate script. See the man pages for logrotate for more information.

Options, set in the configuration file logrotate.conf:

• compress| no compression(older versions compress or not compress with gzip)
• compress cmd(specifies the compression program, default is gzip)
• uncompress cmd(sets the decompressor, default is ungzip)
• compressext(sets the suffix for compressed files)
• compressoptions(sets the parameters of the compression program; default is "-9", i.e. the maximum compression for gzip)
• copytruncate| nocopytruncate(usually the old version is renamed and a new version of the log is created; with this option, logrotate copies the log to a new file and then truncates the old one; used if the program that creates the log does not know how to close it; records made in the interval between copying and truncation are lost ; would it help if the logging program instead of using append mode just writes to the file using an internal pointer?)
• create[permission-owner-group] | nocreate(immediately after renaming the old version of the log and before calling postrotate, a new log is created with the specified attributes - permissions are set in octal, as in chmod.2; if the attributes are not specified, then they are taken from the old log)
• daily(change of versions in the series occurs daily)
• delaycompress| nodelaycompress(some programs do not immediately close the log, in which case compression should be postponed until the next cycle)
• errorsemail(to whom to report bugs)
• extensionsuffix(specifies the suffix added to the file names during rotation before the compression suffix)
• ifempty| notifempty(change versions even if file is empty; default)
• includeFile name| directory-name (textually substitute a file or all files from the specified directory; subdirectories, special files and files with suffixes from the exclusion list are not included; cannot be used inside a section)
• mailaddress| nomail(when a version change necessitates deleting the old journal, then send it to the specified address)
• mailfirst(send not the deleted version of the log, but the first one)
• maillast(send log version to be deleted; default)
• missingok| nomissingok(don't send error messages if the log is missing)
• monthly(version changes monthly)
• olddirdirectory| noolddir(during a version change, the log is moved to the specified directory; must be on the same physical device)
• postrotate(all further lines up to the endscript line are executed as shell commands after the version change process)
• prerotate(all further lines up to the endscript line are executed before the version change process)
• rotatenumber(how many old versions to keep; if 0, then none)
• sizebyte(version change occurs if the log size exceeds the specified number; you can use the suffixes "k" - kilobyte - and "M" - megabyte)
• shared scripts| nosharedscripts(execute the prerotate and postrotate commands only once for all files described in the section)
• tabooext[+] suffix-list(setting a list of exclusion suffixes for include; if a plus sign is specified, then addition, otherwise replacement; default: .rpmorig, .rpmsave, .rpmnew, ",v", .swp and "~")
• weekly(version changes weekly)

Studying and monitoring journals

Log entries typically contain a timestamp, the name of the host on which the described process is running, and the name of the process. View logs You can use a paging program, for example, less, you can search for specific entries (for example, kernel messages from a specific daemon) using the command grep:

# less /var/log/messages # grep "ppp" /var/log/messages | tail Dec 17 16:34:25 proxy pppd: Connection terminated. Dec 17 16:34:25 proxy pppd: Exit. Dec 17 16:35:57 proxy pppd: LCP terminated by peer (^P]kV^@

The computer may not work constantly and turn off, say at night. Therefore, entries in /var/log/messages are stored cyclically from computer startup to shutdown, this can be seen from the messages:

Dec 17 08:32:56 syslog-server syslogd 1.4-0: restart. Dec 17 08:32:56 syslog-server syslog: syslogd started succeeded Dec 17 08:32:56 syslog-server kernel: klogd 1.4-0, log source = /proc/kmsg started. Dec 17 08:32:56 syslog-server syslog: starting klogd succeeded

Dec 17 08:32:56 syslog-server kernel: Kernel command line: auto BOOT_IMAGE=linux ro root=303 BOOT_FILE=/boot/vmlinuz-2.4.2-2 Dec 17 08:32:56 syslog-server kernel: Memory: 125652k/130560k available (1365k kernel code, 4200k reserved, 92k data, 236k init, 0k highmem) Dec 17 08:32:56 syslog-server kernel: CPU: Intel(R) Pentium(R) 4 CPU 1.60GHz stepping 02

Also, in this file you can find information about disk memory (including information about disk geometry, partition structure and interrupts used), information about peripheral devices, about starting individual services and services, information about connecting file systems and user logon messages. , as well as error messages.

Sometimes it may be necessary system log monitoring to search for current events. For example, you can try to catch a rarely occurring event at the moment it happened. In this case, you can use the command tail with option -f to monitor the contents of the system log. Example:

# tail -f /var/log/messages | grep syslog-server Dec 17 16:46:09 syslog-server pppd: pptpd-logwtmp.so ip-up ppp0 maikop 94.77.0.150 Dec 17 16:46:09 syslog-server pppd: Script /etc/ppp/ip-up finished (pid 12552), status = 0x0 Dec 17 16:46:49 syslog-server pptpd: CTRL: Client 85.175.197.65 control connection started Dec 17 16:46:49 syslog-server pptpd: CTRL: Starting call (launching pppd, opening GRE) Dec 17 16:46:49 syslog-server pppd: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.

In addition to the log files specified in /etc/syslog.conf, there are also other files, such as a file that stores information about the system boot process before syslogd was started, as well as files that have a binary format and store information about the last login of a user to the system, about all successful user logons and about all unsuccessful user logons, respectively. The /var/log/ directory can also contain log files for daemons such as a web server or a proxy server. The format of these files is similar to syslogd logs.

Finally, I would like to emphasize that this protocol is not very secure, because. syslog does not contain any protection against message forgery. Even worse, the use of the UDP protocol allows attackers to send messages on behalf of any host. Your LAN must be shielded from receiving packets with spoofed local addresses (although this does not prevent spoofed messages from being sent from within the LAN) and from receiving packets from outside on port 514/udp. Cases of disk overflow with false messages are known.

The syslog protocol and UDP do not provide guaranteed delivery (messages can be lost due to network congestion or intercepted, corrupted messages are deleted without warning), the correct delivery sequence (the process termination message may arrive before the process start message), priority delivery.

Confidentiality of messages is not ensured, as they are transmitted in clear text.

If you specify an incorrect collector or relay address when setting up the message generator, then there will be no error messages - the messages will be deleted (or written to someone else's log).

Several projects have been proposed to improve the syslog protocol. For example, RFC 3195 proposes a TCP-based logging system (syslog-conn) that ensures that messages are delivered in the correct sequence. The syslog-sign project proposes to provide authentication, message ordering, message integrity, and detection of missing messages by generating special messages containing a digital signature of a block of previous messages while maintaining the standard syslog protocol and format and using UDP.

Let's summarize a little:

Linux has a single daemon responsible for logging the events of the local system and remote systems. All events are collected from socket /dev/log, UDP port - 514, as well as from the "helper" klogd daemon, which sends messages from the kernel. All collected messages are filtered by the syslogd daemon through the rules in the /etc/syslog.conf file and distributed to the appropriate destinations according to the rules. Log files are periodically "cut off". The frequency is determined by the logrotate.conf file and the logrotate command, which is run by the system scheduler - cron.

That's all for today. I hope I described everything as clearly as possible. Over time, I will supplement the article!

Sincerely, Mc.Sim!

Introduction

One of the things which makes GNU/Linux a great operating system is that virtually anything and everything happening on and to the system may be logged in some manner. This information is invaluable for using the system in an informed manner, and should be one of the first resources you use to trouble-shoot system and application issues. The logs can tell you almost anything you need to know, as long as you have an idea where to look first.

Your Ubuntu system provides vital information using various system log files. These log files are typically plain ASCII text in a standard log file format, and most of them sit in the traditional system log subdirectory /var/log . Many are generated by the system log daemon, syslogd on behalf of the system and certain applications, while some applications generate their own logs by writing directly to files in /var/log .

This guide talks about how to read and use several of these system log files, how to use and configure the system logging daemon, syslogd , and how log rotation works. See the resources section for additional information.

Target Audience

This guide will be simple enough to use if you have any experience using the console and editing text files using a text editor. See the end of this document for some essential commands that may help you find your way around these files if you"re relatively new to the command line.

System Logs

System logs deal primarily with the functioning of the Ubuntu system, not necessarily with additional applications added by users. Examples include authorization mechanisms, system daemons, system messages, and the all-encompassing system log itself, syslog.

Authorization Log

The Authorization Log tracks usage of authorization systems, the mechanisms for authorizing users which prompt for user passwords, such as the Pluggable Authentication Module (PAM) system, the sudo command, remote logins to sshd and so on. The Authorization Log file may be accessed at /var/log/auth.log . This log is useful for learning about user logins and usage of the sudo command.

Use grep to cut down on the volume. For example, to see only information in the Authorization Log pertaining to sshd logins, use this:

grep sshd /var/log/auth.log | less

Daemon Log

A daemon is a program that runs in the background, generally without human intervention, performing some operation important to the proper running of your system. The daemon log at /var/log/daemon.log and contains information about running system and application daemons such as the Gnome Display Manager daemon gdm , the Bluetooth HCI daemon hcid , or the MySQL database daemon mysqld . This can help you trouble-shoot problems with a particular daemon.

Again, use grep to find specific information, plugging in the name of the daemon you"re interested in.

debug log

The debug log at /var/log/debug and provides detailed debug messages from the Ubuntu system and applications which log to syslogd at the DEBUG level.

Kernel Log

The kernel log at /var/log/kern.log provides a detailed log of messages from the Ubuntu Linux kernel. These messages may prove useful for trouble-shooting a new or custom-built kernel, for example.

Kernel Ring Buffer

The kernel ring buffer is not really a log file per se, but rather an area in the running kernel you can query for kernel bootup messages via the dmesg utility. To see the messages, use this:

dmesg | less

Or to search for lines that mention the Plug & Play system, for example, use grep like this:

dmesg | grep pnp | less

By default, the system initialization script /etc/init.d/bootmisc.sh sends all bootup messages to the file /var/log/dmesg as well. You can view and search this file the usual way.

System Log

The system log typically contains the greatest deal of information by default about your Ubuntu system. It is located at /var/log/syslog , and may contain information other logs do not. Consult the System Log when you can"t locate the desired log information in another log. It also contains everything that used to be in /var/log/messages .

Application Logs

Many applications also create logs in /var/log . If you list the contents of your /var/log subdirectory, you will see familiar names, such as /var/log/apache2 representing the logs for the Apache 2 web server, or /var/log/samba , which contains the logs for the Samba server. This section of the guide introduces some specific examples of application logs, and information contained within them.

Apache HTTP Server Logs

The default installation for Apache2 on Ubuntu creates a log subdirectory: /var/log/apache2 . Within this subdirectory are two log files with two distinct purposes:

/var/log/apache2/access.log - records of every page served and every file loaded by the web server.

/var/log/apache2/error.log - records of all error conditions reported by the HTTP server

By default, every time Apache accesses a file or page, the access logs record the IP address, time and date, browser identification string, HTTP result code and the text of the actual query, which will generally be a GET for a page view. Look at the Apache documentation for a complete rundown; quite a lot can be gleaned from this file, and indeed many statistical packages exist that perform analyzes of these logs.

Also, every time any error occurs, Apache adds a line to the error log. If you run PHP with error and warning messages disabled, this can be your only way to identify bugs.

CUPS Print System Logs

The Common Unix Printing System (CUPS) uses the default log file /var/log/cups/error_log to store informational and error messages. If you need to solve a printing issue in Ubuntu, this log may be a good place to start.

Rootkit Hunter Log

The Rootkit Hunter utility (rkhunter) checks your Ubuntu system for backdoors, sniffers and rootkits, which are all signs of compromise of your system. The log rkhunter uses is located at /var/log/rkhunter.log .

Samba SMB Server Logs

The Server Message Block Protocol (SMB) server, Samba is popularly used for sharing files between your Ubuntu computer and other computers which support the SMB protocol. Samba keeps three distinct types of logs in the subdirectory /var/log/samba:

log.nmbd - messages related to Samba's NETBIOS over IP functionality (the network stuff)

log.smbd - messages related to Samba's SMB/CIFS functionality (the file and print sharing stuff)

log. - messages related to requests for services from the IP address contained in the log file name, for example, log.192.168.1.1 .

X11 Server Log

The default X11 Windowing Server in use with Ubuntu is the Xorg X11 server, and assuming your computer has only one display defined, it stores log messages in the file /var/log/Xorg.0.log . This log is helpful for diagnosing issues with your X11 environment.

Non-Human-Readable Logs

Some log files found in the /var/log subdirectory are designed to be readable by applications, not necessarily by humans. Some examples of such log files which appear in /var/log follow.

Login Failures Log

The login failures log located at /var/log/faillog is actually designed to be parsed and displayed by the faillog command. For example, to print recent login failures, use this:

faillog

Last Login Log

The last logins log at /var/log/lastlog should not typically be parsed and examined by humans, but rather should be used in conjunction with the lastlog command. For example to see a listing of logins with the lastlog command, displayed one page per screen with the less command, use the following command:

last log | less

Login Record Log

The file /var/log/wtmp contains login records, but unlike /var/log/lastlog above, /var/log/wtmp is not used to show a list of recent logins, but is instead used by other utilities such as the who command to present a listed of currently logged in users. This command will show the users currently logged in to your machine:

who

System Logging Daemon (syslogd)

The system logging daemon syslogd , also known as sysklogd , awaits logging messages from numerous sources and routes the messages to the appropriate file or network destination. Messages logged to syslogd usually contain common elements like system hostnames and time-stamps in addition to the specific log information.

Configuration of syslogd

The syslogd daemon"s configuration file is /etc/syslog.conf . Each entry in this file consists of two fields, the selector and the action. The selector field specifies a facility to be logged, such as for example the auth facility which deals with authorization, and a priority level to log such information at, such as info, or warning. The action field consists of a target for the log information, such as a standard log file (i.e. /var/log/syslog), or the hostname of a remote computer to send the log information to.

Echoing Messages to syslogd With Logger

A neat utility exists in the logger tool, which allows one to place messages into the System Log (i.e. /var/log/syslog) arbitrarily. For example, assume your user name is buddha , and you would like to enter a message into the syslog about a particularly delicious pizza you"re eating, you could use a command such as the following at a terminal prompt:

logger This Pizza from Vinnys Gourmet Rocks

and you would end up with a line in the /var/log/syslog file like this:

Jan 12 23:34:45 localhost buddha: This Pizza from Vinnys Gourmet Rocks

You can even specify a tag the messages come from, and redirect the output standard error too.

# # sample logger error jive # logmsg="/usr/bin/logger -s -t MyScript " # announce what this script is, even to the log $logmsg "Directory Checker FooScript Jive 1.0" # test for the existence of Fred" s home dir on this machine if [ -d /home/fred ]; then $logmsg "I. Fred"s Home Directory Found" else $logmsg "E. Fred"s Home Directory was NOT Found. Boo Hoo." exit 1 fi

Executing this script as chkdir.sh on the machine butters where Fred does not have a home directory, /home/fred , gives the following results:

[email protected]:~$./chkdir.sh MyScript: Directory Checker FooScript Jive 1.0 MyScript: E. Fred's Home Directory was NOT Found. Boo Hoo. [email protected]:~$tail -n 2 /var/log/syslog Jan 12 23:23:11 localhost MyScript: Directory Checker FooScript Jive 1.0 Jan 12 23:23:11 localhost MyScript: E. Fred's Home Directory was NOT Found. Boo Hoo.

So, as you can see, we received the messages both via standard error, at the terminal prompt, and they also appear in our syslog.

log rotation

When viewing directory listings in /var/log or any of its subdirectories, you may encounter log files with names such as daemon.log.0 , daemon.log.1.gz , and so on. What are these log files? They are "rotated" log files. That is, they have automatically been renamed after a predefined time-frame, and a new original log started. After even more time the log files are compressed with the gzip utility as in the case of the example daemon.log.1.gz . The purpose of log rotation is to archive and compress old logs so that they consume less disk space, but are still available for inspection as needed. What handles this functionality? Why, the logrotate command of course! Typically, logrotate is called from the system-wide cron script /etc/cron.daily/logrotate , and further defined by the configuration file /etc/logrotate.conf . Individual configuration files can be added into /etc/logrotate.d (where the apache2 and mysql configurations are stored for example).

This guide will not cover the myriad of ways logrotate may be configured to handle the automatic rotation of any log file on your Ubuntu system. For more details, check the resources section of this guide.

NOTE: You may also rotate system log files via the cron.daily script /etc/cron.daily/sysklogd instead of using logrotate. Actually, the utility savelog may produce unexpected results on log rotation which configuring logrotate seems to have no effect on. In those cases, you should check the cron.daily sysklogd script in /etc/cron.daily/sysklogd and read the savelog manual page to see if savelog is not in fact doing the rotation in a way that is not what you are specifying with logrotate.

Essential Commands

If you"re new to the console and the Linux command line, these commands will get you up and running to the point where you can work with log files at a basic level.

Getting Started

To change to the log directory, where most of these files sit, use the cd command. This saves having to type out a full path name for every subsequent command:

cd /var/log

Editing Files

You can view and edit files in GEdit or Kate, the simple text editors that come with Ubuntu and Kubuntu respectively, but these can be overkill when all you want to do is look at a file or make simple changes. The easiest editor to use from the console is nano, which is less powerful but also less complicated than vim or emacs. The command to edit a particular logfile /var/log/example.log using nano is:

nano example.log

Press Ctrl+X to exit. It will ask if you want to save your changes when you exit, but unless you run it with the sudo command the files won't be writable. In general, you won't want to save your changes to log files, of course.

Viewing Files

To simply look at a file, an editor is overkill. Use the less command, which pages through a file one screen at a time:

less example.log

You don't need sudo to look at a file. Press h for help, or q to quit. The cursor keys and page up/down keys will work as expected, and the slash key ("/") will do a case- sensitive search; the n key repeats the last search.

Viewing the Beginning of Files

To see the first ten lines of a file, use the head command:

head example.log

To see some other number of lines from the beginning of the file, add the -n switch, thus:

head -n 20 example.log

Viewing the End of Files

To see the final ten lines of a file, the analogous command is tail:

tail example.log

Again, the -n switch gives you control over how many lines it displays:

tail -n 20 example.log

Watching a Changing File

Also, the -f ("follow") switch puts tail into a loop, constantly waiting for new additions to the file it's displaying. This is useful for monitoring files that are being updated in real time:

tail -f example.log

Press Ctrl+C to quit the loop.

Searching Files

Because log files can be large and unwieldy, it helps to be able to focus. The grep command helps you strip out only the content you care about. To find all the lines in a file containing the word "system", for example, use this:

grep "system" example.log

To find all the lines containing "system" at the beginning of the line, use this:

grep "^system" example.log

Note the caret symbol, a regular expression that matches only the start of a line. This is less useful for standard log files, which always start with a date and time, but it can be handy otherwise. Not all files have a standard format.

Any time the result of a grep is still too long, you can pipe it through less:

grep "system" example.log | less

resources

Additional information on system and application logs and syslogd is available via the following resources:

Local System Resources

	System manual page for the dmesg kernel ring buffer utility
	System manual page for the faillog command (and also the faillog configuration file via man 5 faillog)
	System manual page for the grep pattern searching utility
	System manual page for the head utility
	System manual page for the kernel log daemon (klogd)
	System manual for the last command which shows last logged in users
	System manual page for the less paging utility
	System manual page for the logger command-line interface to syslog utility
	System manual page for the logrotate utility
	System manual page for the savelog log file saving utility
	System manual page for the system log daemon (syslogd)
	System manual page for the syslogd configuration file
	System manual page for the tail utility

As you know, Linux has a very important sysklogd tool that allows you to keep a log of events occurring in the system. System administrators, and indeed any user who encounters errors, will have to look linux logs to identify the problem and solve it.

All linux log files located in the folder:
/var/log

Linux log files:

messages	Contains global Linux system logs, including those logged at system startup.
dmesg	Contains messages received from the kernel. Registers a lot of messages at the boot stage, they display information about hardware devices that are initialized during the boot process. The number of messages in the log is limited, and when the file is full, with each new message, the old ones will be overwritten.
auth.log	Contains information about user authorization in the system, including user logins and authentication mechanisms that have been used.
boot.log	Contains information that is logged when the system boots.
daemon.log	Includes messages from various background daemons
kern.log	Also contains messages from the kernel, useful in troubleshooting user modules built into the kernel.
last log	Displays information about the last session of all users. This is a non-text file and must be viewed using the lastlog command.
mail.log	logs of the email server running on the system.
user.log	Information from all logs at the user level.
Xorg.x.log	X server message log.
btmp	Contains information about failed login attempts.
cups	All messages related to printing and printers.
cron	Whenever the Cron daemon starts running a program, it writes the report and messages of the program itself to this file.
secure	Contains information related to authentication and authorization.
wtmp	Contains the user logon log. Use the wtmp command to display the contents of this file.
faillog	Contains failed login attempts. Use the faillog command to display the contents of this file.
mysqld.log	Contains MySQL database server log files.

You can view linux logs using several console programs. Let's take a look at a few examples below:

1. Displaying and scrolling text with less:
less /var/log/messages

2. View logs in real time:
tail -f /var/log/messages

3. Open the file with cat:
cat /var/log/dmesg

4. Output the first 10 lines from the file:
head /var/log/dmesg

5. Output the last 10 lines from the file:
tail /var/log/dmesg

6. Output a certain number of lines:
head -n3 /var/log/dmesg
where, -n3 is the number of lines to display.

7. Display only errors:
grep -i error /var/log/messages

In addition to the console and text editors, you can also use the graphical program "System Log Viewer", which will show you in a convenient and visual form logs in linux.