This README documents the locations, names and basic functions of major log files under Ubuntu (18.04 and higher).
- root directory of the majority of log files
- most system logs are generated by the syslog log daemon to capture activities
- the majority of programs will log data to files in the /var/log subdirectory
- the OS will use syslog
/var/log/auth.log- information about the authorization processes that happen in the system
- includes sudo commands, SSH logins, or any authentication modules used for collecting user credentials
/var/log/daemon.log- common daemons are systemd, logind, gcfsv, etc.
- All activity written to the above file
/var/log/debug- stores the debug messages sent to syslogd at the DEBUG level by applications or Ubuntu system components
/var/log/kern/log- not a log file but rather a constant-size buffer where the oldest messages are removed to make space for new messages
- The messages can be queries using the following command:
dmesg | less
/var/log/syslog- On some systems:
/var/log/messages - Contains exhaustive information about the state of an Ubuntu system
- Applications or services that do not have their own log files use this file to store logging information
- service logs are system logs that capture information about the state of your services
- You can look into an event logged by the daemon systemd-journald if logs about a specific service are not found in
/var/log - This daemon publishes a single stream combining the log outputs from all services to the central journal in
/{run,var}/log/journal - To view data for a specific service, use the following command:
journalctl -f -u {service name}
/var/log/syslog- Ubuntu crontab log
- The following command lets you view just cron-specific entries in the syslog file:
grep CRON /var/log/syslog
- Added to
/var/log/syslog(default) - Logs network activity
- View just network logs with the command:
journalctl /usr/sbin/NetworkManager
/var/log/audit/audit.log
/var/log/boot.log- To read the most recent boot log messages on Ubuntu operating systems that use systemd, use the journalctl command as below:
journalctl -b
/var/crash- Ubuntu Kernel Crash Dump mechanism collects the state and memory of the kernel when a system crashes
- Data saved to log helps in identifying the root cause of the crash
/var/log/ufw.log- Logs associated with the default firewall service
ufw - use for identifying odd network activities, spotting attacks, and debugging firewall rules
- manage the location of the logs by editing the Ubuntu syslog config file available at
/etc/syslog.conf
- Log management service daemon in Ubuntu
- Edit the location of the logging file in
/etc/systemd/journald.conf - To view the logging data captured by journald, use the `journalctl command.
- useful information about issues happening in application and system components
- Error log files specific to an application or service are available in the
/var/logfolder
- Information about user logins and usage of sudo commands
- get information about SSH logs using the following command:
grep sshd /var/log/auth.log | less
- Analyze application logs as the first step when attempting to identify the source of an application error
- Two types:
/var/log/apache2/access.log- server’s response codes, resource access information, time of access, source IP address, and other details
- Note many other log files in apache2 folder
/var/log/apache2/error.log- errors that happen while the Apache server processes requests
- helpful for troubleshooting Apache server issues and can contain insights into the root cause
- Saved to folder
/var/lib/docker/containers/ - Access them using the following command:
docker logs [OPTIONS] <CONTAINER-NAME OR ID>
- In
/var/log/mysql/, or/var/log/, or sometimes both
/var/log/postgresql/postgresql-x.x.main.log- (x.x is Postgres version #)
- By default, PostgreSQL logs are streamed to stderr
- However, logs will be written to the default OS log directory if the logging_collector parameter of the service is enabled (Ubuntu location shown above)
- Quickest way to locate postgres log files:
pg_lsclusters
- Path displayed for "Log file" is relative to "Data directory"
/var/log/faillog
/var/log/lastlog- To parse the log and view a list of last logins to the system, use the following command:
lastlog | less
/var/log/wtmp- stores information about users currently logged into the system
- can be parsed by command line utilities such as the command
who
- See the bottom of the website cited above (under Refs) for more informationon working with logs in Ubuntu