An Introduction To Linux Log Files

Linux Log Files
Linux Log Files.


A log file has you may well have guessed provides a timeline of events for the Linux operating system, applications and services.

The files are stored in plain text to make them easy to read. This guide provides an overview of where to find the log files, highlights a few of the key logs and explains how to read them.

Where Can You Find Linux Log Files

Linux log files are normally stored in the folder /var/logs.

The folder will contain a large number of files and you can get information for each application.

For example when I run the ls command in my /var/logs folder here are a few of the logs available.

  • kern.log
  • auth.log
  • bootstrap.log
  • alternatives.log
  • samba
  • cups
  • lightdm

The last three in that list are folders but they have log files within the folders.

As the log files are in plain text format I can read them by typing the following command:

nano <logfilename>

The above command opens the log file in an editor called nano. If the log file is small in size then it is ok to open the log file in and editor but if the log file is large then you are probably only interested in reading the tail end of the log.

The tail command lets you read the last few lines in a file as follows:

tail <logfilename>

You can specify how many lines to show with the -n switch as follows:

tail -n <logfilename>

Of course if you want to see the beginning of the file you can use the head command.

Key System Logs

The following log files are the main ones to look out for within Linux.

  • Authorisation Log
  • Daemon Log
  • Debug Log
  • Kernel Log
  • System Log

The authorisation log (auth.log) tracks use of the authorisation systems which control user access. 

The daemon log (daemon.log) tracks services that run in the background which perform important tasks.

Daemons tend to have no graphical output.

The debug log provides debug output for applications.

The kernel log provides details about the Linux kernel.

The system log contains the most information about your system and if your application doesn't have its own log the entries will probably be in this log file.

Analysing The Contents Of A Log File

The image above shows the contents of the last 50 files within my system log file (syslog).

Each line in the log contains the following information:

For instance one line in my syslog file is as follows:

jan 20 12:28:56 gary-virtualbox systemd[1]: starting cups scheduler

This tells me that the cups scheduling service has been started at 12.28 on the 20th January. 

Rotating Logs

Log files rotate periodically so that they don't get too big.

The log rotate utility is responsible for rotating log files. You can tell when a log has been rotated because it will be followed by a number such as auth.log.1, auth.log.2.

It is possible to change the frequency of log rotation by editing the file /etc/logrotate.conf

The following shows a sample from my logrotate.conf file:

#rotate log files

#keep 4 weeks worth of log files
rotate 4

#create new log files after rotating

As you can see my log files rotate every week and there are 4 weeks worth of log files kept at any point in time.

When a log file rotates a new one is created in its place.

Each application can have its own rotation policy. This is obviously useful because the syslog file is going to grow more rapidly than the cups log file.

The rotation policies are kept in /etc/logrotate.d. Each application that requires its own rotation policy will have a configuration file in this folder.

For example the tool apt has a file in my logrotate.d folder as follows:

/var/log/apt/history.log { 
rotate 12

Basically this log tells me the following. The log will keep 12 weeks worth of log files and rotates every month (1 per month). The log file will be compressed. If no messages are written to a log (i.e it is empty) then this is acceptable. The log will not rotate if it is empty.

To amend the policy of a file edit the file with the settings you require and then run the following command:

logrotate -f

More From Us