Linux Log Files and Viewing Commands

An overview of key Linux log files such as syslog, auth.log, and wtmp, along with commands like last, who, and lastlog for viewing logs and logrotate for management.

2 min read

Linux systems generate various log files to record system activity, errors, and security events. These log files are essential for system monitoring, troubleshooting, and security auditing.

Key Log Files

Log files are typically stored under the /var/log directory.

1. /var/log/messages (or syslog)

  • Content: Records general system-wide information, kernel messages, messages from system daemons, hardware-related events, etc.
  • Location: The filename varies by distribution.
    • Red Hat-based (CentOS, Fedora): /var/log/messages
    • Debian-based (Ubuntu): /var/log/syslog

2. /var/log/secure (or auth.log)

  • Content: Records authentication events and security-related information. Includes login attempts, sudo command executions, SSH connections, etc.
  • Location:
    • Red Hat-based: /var/log/secure
    • Debian-based: /var/log/auth.log

3. /var/log/wtmp

  • Content: Records system login and logout history. Stored in binary format and cannot be read directly with a text editor.
  • Viewing command: last
    last
    This command displays user login/logout history, system reboot history, etc.

4. /var/run/utmp (or /var/log/utmp)

  • Content: Records information about currently logged-in users. Also in binary format.
  • Viewing commands: who, w, users
    who    # List of currently logged-in users
w      # Currently logged-in users and the processes they are running
users  # Only the names of currently logged-in users

5. /var/log/lastlog

  • Content: Records the last login time for each user. Also in binary format.
  • Viewing command: lastlog
    lastlog
    This command displays the last login information for all users on the system.

Viewing and Managing Log Files

Log files grow over time and require regular management.

  • Real-time monitoring: Using the tail command with the -f option, such as tail -f /var/log/syslog, displays content appended to the end of the log file in real time.
  • Searching: The grep command can be used to search for lines containing specific keywords.
    grep "error" /var/log/messages
  • Paging: The less or more commands can be used to browse long log files page by page.
    less /var/log/secure
  • Log rotation: The logrotate service periodically compresses, deletes, or rotates log files to manage disk space consumption. Configuration is done in /etc/logrotate.conf and files within the /etc/logrotate.d/ directory.

Understanding these log files and commands enables you to maintain Linux system health and respond quickly when issues arise.

関連記事