Leave a comment

Linux Tips for Everyone: Log File Analysis

Written by:  • Edited by: Lamar Stonecypher
Updated Mar 5, 2010 • Related Guides: Configuration File | Linux

We should all know how to check the system logs in our operating systems. System logs are the starting point for maintenance and troubleshooting, and Linux keeps track of everything for you. Here we discuss Linux troubleshooting via these system logs, what is where and how they help.

Introduction

Linux logs everything starting from the system boot. You can see everything that happened on your system (if you are curious what happens in your system) and read the whole process line by line. You can use a text editor of your choice to read these logs - because they are text files - or you can go with the command line. Personally I wish to push users toward the use of the command line, but if you prefer the other way, you can open your text editor and go to File → Open to see the logs.

What Does the Logging? D(a)emons!

/var/log Directory
click to enlarge
Yes, the daemons do the logging. A daemon (literally, "a little demon") is a process that works in the background, not under the control of the user, responsible for performing many specific tasks, not only logging. Daemons have a "d" at the end of their names; for example sshd is actually a daemon that controls secure shell (ssh) connections. In our case, the two daemons that control the logging are syslogd and klogd.

Linux systems have a ‘logrotate’ command that also runs in the background and prevents the logs from "inflation," that is, it renames the logs so that one log file does not become too big in size. To do that, it appends .1, .2, .3 to the end of the files so that you can see both “what is happening” and “what has happened”. The larger the number, the older the log is. (See the screenshot on the left, which is my computer's /var/log directory. Note the .1.gz, .2.gz files.)

How Many Logs are There?

Many. There are really many logs present in your system. The logs are kept for boot, kernel, http, mail, news, security, currently logged users to count a few. We will go through each one to see what it does and how does it help us.

Which Events are Logged?

It depends on the configuration. The logging is configured in /etc/syslog.conf file. In this file, the events that are required to be logged are in the first field and the log files are in the second field. The first field consists of two different words that are separated with a full stop. The first word is "what application" is to be logged and the second word is the level of severity.

In logging, there are six severity levels: debugging, information, notice, warning, error, critical, alert/emergency. The bold parts show how they are written in the syslog.conf. To log everything, a * is placed. The * can also be used for the applications. For example,

*.crit /var/log/critical

Logs every critical happening in the /var/log/critical file. The same way,

mail.* /var/log/maillog

Writes every severity about mail to /var/log/maillog file.

Showing page 1 of 3
13
Linux Tips We Should All Know
In this series we target all the Linux users by touching the points that make our Linux experience enjoyable in the long-term. We look at the best practices for using applications, tips for analyzing log files, distribution troubleshooting and many others.
 
blog comments powered by Disqus
Linux Platform
FEATURED AUTHORS
R.L. Flowers N Nayab Berry van der Linden Chad Anderson
MD Weems KateG sinisterporpoise goforitandy
Most Popular Articles
Email to a friend