Log Management
Logs are the chronicles of Linux, recording every event, process, and system message. They act as the system’s diary, helping administrators understand what happened, when, and why. From troubleshooting to auditing, logs are essential for maintaining the health, security, and performance of Linux systems.
What Are Logs?
A log file is a text file that keeps a record of events, processes, and messages generated by the operating system, applications, and users.
Logs act like a diary of the system, helping administrators understand what happened, when, and why. These are essential for troubleshooting, monitoring, and auditing.
/var/log.Types of Logs in Linux
| # | Log Type | Description |
|---|---|---|
| 1 | System logs | Kernel, boot, and hardware events. |
| 2 | Application logs | Messages from installed software (e.g., web servers). |
| 3 | Security logs | Authentication, authorization, and intrusion attempts. |
| 4 | Event logs | Scheduled tasks, cron jobs, and user activities. |
The Log Key Files
| # | Log File | Purpose |
|---|---|---|
| 1 | /var/log/syslog | General system messages |
| 2 | /var/log/auth.log | Login attempts and sudo usage |
| 3 | /var/log/kern.log | Kernel-related events |
| 4 | /var/log/dmesg | Boot and hardware messages |
| 5 | /var/log/apache2/access.log | Web server requests |
| 6 | /var/log/cron.log | Scheduled task execution |
Tools for Reading Logs
| # | Command | Description |
|---|---|---|
| 1 | cat | Reads the entire log file |
| 2 | less | Reads logs page by page |
| 3 | tail | Displays the last lines (recent events) |
| 4 | tail -f | Watches logs live as new events are written |
| 5 | grep | Searches for specific patterns in logs |
| 6 | journalctl | Reads logs managed by systemd |
tail -f /var/log/syslog
# → Watch system events live as they happen.Application, Security, Events
- Application logs: Generated by specific programs (web servers, databases, custom apps).
- Security logs: Track authentication, authorization, and intrusion attempts (e.g.,
auth.log). - Event logs: Record scheduled tasks and system activities (e.g.,
cron.log). - These logs may be written to traditional text files in
/var/log/or fed into the systemd journal.
Systemd and Journal Logs
Most modern Linux distributions use systemd as the init system. It includes systemd-journald, a daemon that collects logs in a structured binary format.
- Responsibilities of systemd:
- Starting and stopping services
- Managing dependencies
- Handling system states (boot, shutdown, sleep)
- Providing logging via journald
- systemd-journald collects logs from:
- Kernel (hardware and boot messages)
- System services (e.g., networking, cron, ssh)
- Applications
Logs Summary
| # | Log Source | Examples | Where Stored | Access Method |
|---|---|---|---|---|
| 1 | Systemd Journal | Kernel, services, apps | /var/log/journal/ (binary files) | journalctl |
| 2 | Application Logs | Apache, MySQL, Nginx | /var/log/appname/ | cat, less, grep, journalctl |
| 3 | Security Logs | auth.log, firewall logs | /var/log/auth.log, /var/log/secure | journalctl -u ssh.service or text tools |
| 4 | Event Logs | Cron jobs, system events | /var/log/cron.log, systemd journal | journalctl -u cron |
Why Logs Are Important
| Use Case | Description |
|---|---|
| Troubleshooting | Identify why a service failed or why a system crashed. |
| Monitoring | Track performance, resource usage, and unusual activity. |
| Auditing | Review login attempts, file access, and system changes. |
| Automation | Parse logs with tools (Splunk, ELK, journald) for alerts. |
Practical Exercises
# Query systemd logs for SSH service
journalctl -u ssh
# Search for failed login attempts
grep "Failed" /var/log/auth.log
# Watch live authentication events
tail -f /var/log/auth.log
# Read system messages
less /var/log/syslogHackers Quest
Create a Log Investigation Report:
- Explore
/var/log/auth.logand identify at least 3 login attempts. - Use
grepto filter failed attempts. - Document findings: “Who tried to enter Linux, and what happened?”
Hackers Notebook
The Watchtower of Logs is your eye upon the kingdom. Every whisper, every alarm, every visitor leaves a mark in the chronicles. Learn to read them, and you will foresee troubles before they strike.
