Where are your log files?
By strict Unix/Posix standards, log files should be in /var/log/. Sometimes, as with some Apache installations, logs are in the installation directory instead. But generally you can go to /var/log/and find a whole plethora of system logs.
Some daemons have their own directories: /var/log/httpd/, /var/log/samba/, etc.
Note the consecutively numbered log files in several places. These are the result of log file rotation, which is necessary because files have a limit on their size. In Red Hat distros, the logrotate package sets up cron jobs to perform this rotation. The /etc/logrotate.conf configuration file and the configuration files in the /etc/logrotate.d/ directory set up options; by default, logs rotate every week for four weeks. (See Red Hat’s System Administration Guide.)
Which logs should you be watching? What should you look for in your logs? These are not simple questions.
How you answer the first question depends on what your server is doing. If it is serving web pages, providing DNS service, running FTP or transferring email, you already know which logs to watch.
The second question might be tougher. Often you’re combing your log files after a hack attempt or a successful break-in, so you know you’re looking for specific evidence, which will, once again, depend on the kind of server you’re running.
| Common Linux Log Files in /var/log/ | |
| File | Description |
| boot.log | System startup messages |
| cron | cron and at daemon messages |
| dmesg | System startup hardware detection messages |
| maillog | Sendmail daemon messages |
| secure | Network access messages from sshd, xinetd, and others |
| wtmp | History of all login sessions |
| rpmpkgs | List of packages installed with RPM |
| xferlog | FTP messages |
| Xorg.0.log or XFree86 |
X Windows messages |
| lastlog | Use the lastlog command to view this stored info about users and their last login time. |
| messages | Daemon startup messages |
This daemon controls almost all logging on your system. It is configured via the /etc/syslog.conf file, which uses the format:
facility.priority /var/log/<logfile>
The available priorities, in ascending order of urgency, are:
debug
info
notice
warning or warn
error or err
crit
alert
emerg or panic
Consider tools like Webalyzer (here, for source or here, for FC4 RPM). Webalizer provides charting and graphing capabilities, so you can see which pages on your web site (web server) are the most popular, for instance, in full-color pie charts, bar graphs and you-name-it.
Compare Logrep and its Logreplight version.
Also see AWStats, and its awesome live demo.
A busy web server (or group of them, such as you’d find at an ISP) requires more than after-the-fact analysis.
LogDog is ” A daemon for monitoring syslogd messages and alerting administrators.” The key word here is “alerting” – this is a critical monitoring tool for systems monitored full-time. One Kevin Cox wrote up his experience setting up LogDog with Snort for real-time alerts here.
And then, of course, there’s Snort itself.
Check out Red Hat’s own Log Viewer. Unfortunately this tool is only available with Red Hat Enterprise Linux.
Finally, take a look at TripWire, a dual-license project. The Open Source version is here, and the corporate site here.
The logrotate utility backs up and clears log files, based on configuration information stored in /etc/logrotate.conf. cat this file for examples.
On many Linux systems you will find that logrotate is run via a cron job stored as /etc/cron.daily/logrotate.
You can run it manually:
logrotate /etc/logrotate.conf