Logs & Logging

Log Files

Where are your log files?

By strict Unix/Posix standards, log files should be in /var/log/. Sometimes, as with some Apache installations, logs are in the installation directory instead. But generally you can go to /var/log/and find a whole plethora of system logs.

Some daemons have their own directories: /var/log/httpd/, /var/log/samba/, etc.

Note the consecutively numbered log files in several places. These are the result of log file rotation, which is necessary because files have a limit on their size. In Red Hat distros, the logrotate package sets up cron jobs to perform this rotation. The /etc/logrotate.conf configuration file and the configuration files in the /etc/logrotate.d/ directory set up options; by default, logs rotate every week for four weeks. (See Red Hat’s System Administration Guide.)


Which Log Files?

Which logs should you be watching? What should you look for in your logs? These are not simple questions.

How you answer the first question depends on what your server is doing. If it is serving web pages, providing DNS service, running FTP or transferring email, you already know which logs to watch.

The second question might be tougher. Often you’re combing your log files after a hack attempt or a successful break-in, so you know you’re looking for specific evidence, which will, once again, depend on the kind of server you’re running.

Common Linux Log Files in /var/log/
boot.log System startup messages
cron cron and at daemon messages
dmesg System startup hardware detection messages
maillog Sendmail daemon messages
secure Network access messages from sshd, xinetd, and others
wtmp History of all login sessions
rpmpkgs List of packages installed with RPM
xferlog FTP messages
X Windows messages
lastlog Use the lastlog command to view this stored info about users and their last login time.
messages Daemon startup messages


The System Log Daemon

This daemon controls almost all logging on your system. It is configured via the /etc/syslog.conf file, which uses the format:

facility.priority /var/log/<logfile>

The available priorities, in ascending order of urgency, are:




warning or warn

error or err



emerg or panic


Analysis Tools

Consider tools like Webalyzer (here, for source or here, for FC4 RPM). Webalizer provides charting and graphing capabilities, so you can see which pages on your web site (web server) are the most popular, for instance, in full-color pie charts, bar graphs and you-name-it.

Compare Logrep and its Logreplight version.

Also see AWStats, and its awesome live demo.


Monitoring and Alert Tools

A busy web server (or group of them, such as you’d find at an ISP) requires more than after-the-fact analysis.

LogDog is ” A daemon for monitoring syslogd messages and alerting administrators.” The key word here is “alerting” – this is a critical monitoring tool for systems monitored full-time. One Kevin Cox wrote up his experience setting up LogDog with Snort for real-time alerts here.

And then, of course, there’s Snort itself.

Check out Red Hat’s own Log Viewer. Unfortunately this tool is only available with Red Hat Enterprise Linux.

Finally, take a look at TripWire, a dual-license project. The Open Source version is here, and the corporate site here.


Log Rotation

The logrotate utility backs up and clears log files, based on configuration information stored in /etc/logrotate.confcat this file for examples.

On many Linux systems you will find that logrotate is run via a cron job stored as /etc/cron.daily/logrotate.

You can run it manually:

logrotate /etc/logrotate.conf