Let’s say you encounter an error, or your server/computer shuts down instantly. What was the cause of it? Normally, you should look at the log files. But what are these log files, where do I find them and how do I interpret them? Are they the same as medical exam results? Should I go to a specialist to interpret them, or do like everyone else and look the error code on Google? In today’s article, we will discuss this subject further.
Looking up things with Grep
Let’s assume you connect to a server with SSH. Searching up text is the easiest way to find your log files. For this task, you can use the tool called Grep. This command line tool can be found on most Linux distributions, can search the log files using regular expressions. The easiest way to do this is to put the text you are looking for in between quotes.
For example, using the following string you can find authentication logs on a Linux system:
$ grep "user ubuntu" /var/log/auth.log Accepted password for ubuntu from 192.168.0.2 port 1222 ssh2 pam_unix(sshd:session): session opened for user ubuntu by (uid=1) pam_unix(sshd:session): session closed for user ubuntu
It can be difficult to find relevant information using regular expressions. If we search for a numerical string like a port number 1222, it can also find timestamps of various files, links, and other irrelevant information.
$ grep "1222" /var/log/auth.log Accepted password for ubuntu from 192.168.0.2 port 1222 ssh2 95.45.21.12 - - [20/Jan/2019:22:55:01 +0020] "GET /scripts/samples/search?q=5281HTTP/1.0" 301 626 "-" "-”
Linux Log files location
The location of where to find various Linux log files is different for each operating system distribution, but the first folder where we should look for them is /var/log/. Other 3rd party software, such as the web servers Apache and nginx dump their log files to the same folder. Other useful information can be gained by reading the file /etc/rsyslog.conf, such as system log specs and folder paths.
Debian 9
/var/log/auth.log
In this location, you can find successful and failed login attempts to your system. Every time a user attempts to invoke commands via sudo, those attempts are listed also.
/var/log/messages
Here you can find general system information logs, such as boot logs, boot errors, or hardware modifications.
/var/log/dmesg
The kernel buffer data can be read using the command dmesg. Here you can find data such as system up-time, kernel messages for each module and much more data about the hardware status and software status on your server. Without further parameters, dmesg shows the entire kernel buffer data. You can use the various parameters to shorten the data output to something that can be read easier.
/var/log/syslog
This location is very important for a Linux system, as every process is free to write data into the syslog by enforcing the syslog interface. It also saves logs of the system upstart and a list of the executed cronjobs.
CentOS 7
As the file system structure is quite similar to the Debian distribution, here we will mention just the extra locations that are not featured in Debian. Please note that all of the above-written data applies in a bigger or smaller ratio to CentOS also.
/var/log/secure
This location is similar to /var/log/auth.log for the Debian operating system. All types of authentication are logged here.
/var/log/messages
There is no difference between /var/log/messages and /var/log/syslog when using the CentOS distribution. With CentOS, all system logs of processes that use syslog can be found in this location.
/var/log/cron
This location is specifically used for cron related logs. They are not put together with syslog as it is the case with Debian.