Basic Understanding of Log Files in Linux.

Linux system logged all the tasks performed during the operations in the different log files. It is the best practice to go through the logs of the system everyday by system administrator. This will help to find out the system activities carried out by user and troubleshooting issues if any. Third party applications might write in different log directory. 

Normally logrotate happens in regular interval and it is pre-configured for all the log files so the report generated will be only as per the date log file started storing log files. /etc/rsyslog.conf file is the global directives and controls the path and includes what contains should goes into the log files. Following are the log files with path and it’s details description.

/var/log/messages

This is the first place to look in case of any problem. This is the most important log file in Linux system which records system activities like system error messages, system startup and shutdown, services up & down, network configuration etc. This is the normal text file and can be view with cat, less, more and tail command. You can use tail command to display current running log as below.

/var/log/lastlog

Captures the most recent login activity of system users. It shows the details of username, port, login from and Latest login. Below is the command to read /var/log/lastlog file.
$ lastlog

 

/var/log/dmesg

This file contains information of server hardware devices and it’s drivers. It has the information of hardware detected and installed properly or not during boot up. You can refer this file in case of any hardware is not functioning or not getting detected.

 

/var/log/secure

This file is to keep track of successful SSH, Sudo login and other errors logged by system. It also stores messages related to authentication or failed login attempts.

/var/log/audit/audit.log

This file records every activity on the server. With the help of this file we can detect unauthorized activities, it helps to find any security breaches of system policies and you can take additional security measures to prevent them. The file is logged in plain ASCCI format. ausearch, aureport are the tools to extract for readable format.  /etc/audit/auditd.conf is the configuration file.

/var/log/cron

The cron related logs are stored in /var/log/cron, keep tracks of cron and anacron job executed and failed.

/var/log/btmp

This is the binary file and cannot see what is inside in the file with command cat, less and tail etc. or any text editor. The ‘b’ in btmp is ‘bad’. This file records only bad login attempts. You can track brute force attack to gain access in this file so you can take corrective action to block the source IP in firewall to defend. last and lastb is the command to read this file.

Note: You need to keep eye on this file as sometime the file size might increases rapidly, that means someone is trying to brute-force your passwords.

/var/log/wtmp 

This is also a binary file. we can use who and last command to pull the information from /var/log/wtmp file . The ‘w‘ in wtmp is ‘who‘. This file keep login and logout history of users.

What is the difference between pts and tty?

In the output above, we can see pts and tty. Below are the differences.

1. tty – Native terminal device(server/system console)

2. pty – (pseudo terminal device) emulated program i.e putty, xterm or screen etc.

Conclusion: In this tutorial, We have covered some of the important log files which a Linux System admin should monitor daily basis. If i have missed out any other important log file which need to be monitored daily basis, please do mention in comment box below so that we can add those as well. Big thanks for reading all the way to the end. Please share it with Your Friends & Help Someone… and also Like Our Facebook Page.