linux logging

20 Linux Log Files that are Located under /var/log Directory

by RAMESH NATARAJAN on AUGUST 1, 2011

If you spend lot of time in Linux environment, it is essential that you know where the log files are located, and what is contained in each and every log file.

When your systems are running smoothly, take some time to learn and understand the content of various log files, which will help you when there is a crisis and you have to look though the log files to identify the issue.

/etc/rsyslog.conf controls what goes inside some of the log files. For example, following is the entry in rsyslog.conf for /var/log/messages.

$ grep "/var/log/messages" /etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

In the above output,

• *.info indicates that all logs with type INFO will be logged.
• mail.none,authpriv.none,cron.none indicates that those error messages should not be logged into the /var/log/messages file.
• You can also specify *.none, which indicates that none of the log messages will be logged.

The following are the 20 different log files that are located under /var/log/ directory. Some of these log files are distribution specific. For example, you’ll see dpkg.log on Debian based systems (for example, on Ubuntu).

1. /var/log/messages – Contains global system messages, including the messages that are logged during system startup. There are several things that are logged in /var/log/messages including mail, cron, daemon, kern, auth, etc.
2. /var/log/dmesg – Contains kernel ring buffer information. When the system boots up, it prints number of messages on the screen that displays information about the hardware devices that the kernel detects during boot process. These messages are available in kernel ring buffer and whenever the new message comes the old message gets overwritten. You can also view the content of this file using the dmesg command.
3. /var/log/auth.log – Contains system authorization information, including user logins and authentication machinsm that were used.
4. /var/log/boot.log – Contains information that are logged when the system boots
5. /var/log/daemon.log – Contains information logged by the various background daemons that runs on the system
6. /var/log/dpkg.log – Contains information that are logged when a package is installed or removed using dpkg command
7. /var/log/kern.log – Contains information logged by the kernel. Helpful for you to troubleshoot a custom-built kernel.
8. /var/log/lastlog – Displays the recent login information for all the users. This is not an ascii file. You should use lastlog command to view the content of this file.
9. /var/log/maillog /var/log/mail.log – Contains the log information from the mail server that is running on the system. For example, sendmail logs information about all the sent items to this file
10. /var/log/user.log – Contains information about all user level logs
11. /var/log/Xorg.x.log – Log messages from the X
12. /var/log/alternatives.log – Information by the update-alternatives are logged into this log file. On Ubuntu, update-alternatives maintains symbolic links determining default commands.
13. /var/log/btmp – This file contains information about failed login attemps. Use the last command to view the btmp file. For example, “last -f /var/log/btmp | more”
14. /var/log/cups – All printer and printing related log messages
15. /var/log/anaconda.log – When you install Linux, all installation related messages are stored in this log file
16. /var/log/yum.log – Contains information that are logged when a package is installed using yum
17. /var/log/cron – Whenever cron daemon (or anacron) starts a cron job, it logs the information about the cron job in this file
18. /var/log/secure – Contains information related to authentication and authorization privileges. For example, sshd logs all the messages here, including unsuccessful login.
19. /var/log/wtmp or /var/log/utmp – Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
20. /var/log/faillog – Contains user failed login attemps. Use faillog command to display the content of this file.

Apart from the above log files, /var/log directory may also contain the following sub-directories depending on the application that is running on your system.

• /var/log/httpd/ (or) /var/log/apache2 – Contains the apache web server access_log and error_log
• /var/log/lighttpd/ – Contains light HTTPD access_log and error_log
• /var/log/conman/ – Log files for ConMan client. conman connects remote consoles that are managed by conmand daemon.
• /var/log/mail/ – This subdirectory contains additional logs from your mail server. For example, sendmail stores the collected mail statistics in /var/log/mail/statistics file
• /var/log/prelink/ – prelink program modifies shared libraries and linked binaries to speed up the startup process. /var/log/prelink/prelink.log contains the information about the .so file that was modified by the prelink.
• /var/log/audit/ – Contains logs information stored by the Linux audit daemon (auditd).
• /var/log/setroubleshoot/ – SELinux uses setroubleshootd (SE Trouble Shoot Daemon) to notify about issues in the security context of files, and logs those information in this log file.
• /var/log/samba/ – Contains log information stored by samba, which is used to connect Windows to Linux.
• /var/log/sa/ – Contains the daily sar files that are collected by the sysstat package.
• /var/log/sssd/ – Use by system security services daemon that manage access to remote directories and authentication mechanisms.

Instead of manually trying to archive the log files, by cleaning it up after x number of days, or by deleting the logs after it reaches certain size, you can do this automatically using logrotate as we discussed earlier.

To view the log files use any one of the following methods. But, please don’t do ‘cat | more’.

• vi – If you are comfortable with the vi commands, use vi editor for quick log file browsing.
• tail – If you want to view the content of the log files real time, as the application is writting to it, use “tail -f”. You can also view multiple log files at the same time (using “tail -f”).
• grep – If you know exactly what you are looking for in a log file, you can quickly use grep command to grep a pattern. The 15 practical grep examples will take out all your excuses of not using grep.
• less – Less command is very powerful to browse log files. Use these 10 less command tipsto master the less command.

cat /var/log/secure | grep michael

Lastlog | grep Michael

lastb

lastb shows all bad logs
last -f /var/log/btmp
wtmp utmp

new commands today: ldd and stat

create link

 ln -s /usr/local/bin/gcc /usr/bin/gcc

for screen

yum install compat-glibc-headers

 export C_INCLUDE_PATH=/usr/lib/i686-redhat-linux5E/include/

missing .h files

Try setting C_INCLUDE_PATH (for C header files) or CPLUS_INCLUDE_PATH (for C++ header files).

About ifup, ifdown, and ifquery
ifup - bring a network interface up
ifdown - take a network interface down
ifquery - parse interface configuration

how to add presistant environment variables

cd /etc/profile.d/
touch michael.sh
vi michael.sh
export PATH=$PATH:/usr/local/mysql/bin
:w
:q
exit
reenter

Creating persistent environment variables

Alternatively, to create persistent variables that are truly system-wide, you should set them in/etc/environment.

solve configure pkg-config

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH

Another option is
vi /etc/environment
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
:w
:q
exit
reenter

Installing programs

tar -xf the source

navigate to the source

mkdir tamp

cd tamp

ldconfig

../configure --prefix=/usr/local

make

make install

if there is an error in make

make | grep -i error

go to the first line and see what is the error and repair it

../configure in the same directory not in tamp

You have to run the command ldconfig after each library is installed

error while loading shared libraries: libmpfr.so.4: cannot open shared object file: No such file or directory

cd /
find -name libmpfr.so.4
cd /etc/ld.so.conf.d/myapp.conf



myapp.conf contents is one line per file
/usr/local/lib

after that run the command ldconfig to update very important

the dns server needs ports in the firewall

port 53 tcp and udp

Linux hints

touch

vi

which

The path variable is very important, the applications run from there

to test the network

ping google.com

ping 8.8.8.8

ping the server name

telnet ip portNumber

The library path is in
/etc/ld.so.conf.d/anytextfile.conf
echo /usr/local/lib > /etc/ld.so.conf.d/foo.conf

use ldconfig -v

ldconfig to update all the libraries

service --status-all
pidof appname
kill 2951
ps aux


rpm -qp --scripts path/to/rpm/file

to create a symbolic link

ln -s path/to/the/file link_name

Disable You have new mail in /var/spool/mail/root on centos

Stop mail message from /var/spool/mail

If you're tired of the message "You have mail in /var/spool/mail/root", you can stop them like this:

Edit the file /etc/crontab and change the line MAILTO=root to MAILTO=""

dhcp limit the scope

Anyway, what you are looking for is in the DHCP MMC,

Right-click on the Servername (ipv4)
Choose Properties
Choose Advanced Tab
Choose the Bindings Button
Select active interfaces

Disable the firewall

# service iptables save
# service iptables stop
# chkconfig iptables off

If you are using IPv6 firewall, enter:
# service ip6tables save
# service ip6tables stop
# chkconfig ip6tables off

Editing network for centos

/etc/network/interfaces

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
 
DEVICE=eth0
NM_CONTROLLED=no
ONBOOT=yes //very important or your network won't work
HWADDR=00:50:56:37:F1:04
TYPE=Ethernet
BOOTPROTO=none //don't use static
IPADDR=192.168.1.8
NETMASK=255.255.255.0
DNS1=8.8.8.8
DNS2=8.8.4.4
 
## set Default Gateway
# vi /etc/sysconfig/network
 
NETWORKING=yes
HOSTNAME=web.example.com
GATEWAY=192.168.1.1

Mount A linux drive

on the server

yum install nfs-utils nfs-utils-lib

chkconfig nfs on 
service rpcbind start
service nfs start

vi /etc/exports

add the following line

/home           12.33.44.0/24(rw,sync,no_root_squash,no_subtree_check)

/home is the shared folder 

12.33.44.0 allowed ips

/24 subnet mask

service nfs restart

on the clinet

 mount 192.168.133.133:/home /home

192.168.133.133 server ip
/usr/local server folder

 /usr/local where to mount 

Centos Minimal

Yum update

Solving the problem of

Get out the cartridge and clean the sensor area 

How to install syslog-ng

On both the client and server machines:

Download ubuntu

Run these commands

Update the linux operating systems

sudo apt-get update

sudo apt-get install syslog-ng
Disable the firewall

sudo ufw disable


Check the internet connection

ping google.com




Check you can reach the server

ping 192.168.133.130


make syslog-ng folders editable

sudo chmod -R 777 /etc/syslog-ng




edit the syslog-ng file using found in /etc/syslog-ng/syslog-ng.conf




for the server:
Add the following lines to the file /etc/syslog-ng/syslog-ng.conf

source clients {tcp(ip(0.0.0.0) port(514));udp();};

destination clientslogs { file("/var/log/michael"); };

log { source(clients); destination(clientslogs);};




for the client

destination d_udp { tcp("192.168.133.130" port(514)); };

log { source(s_src); destination(d_udp); };




run the command /etc/init.d/syslog-ng restart on both the client and the server


it should restart without any problems




testing

to test if the syslog-ng is listing on the port 514 for the server run the command 

sudo netstat -tapen | grep ":514 "





go to the client machine and run the command

logger "adfklsjvnjkds"




go to the server machine navigate to the folder /var/logs

open the file michael

go to the end of the file, you should find "adfklsjvnjkds"