8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » Linux » Here

Linux System Log Files

This article explains how to identify system log file on Linux, with specific reference to the information needed for the RHCSA EX200 and RHCE EX300 certification exams.

Remember, the exams are hands-on, so it doesn't matter which method you use to achieve the result, so long as the end product is correct.

Related articles.

Location of System logs

The "/etc/rsyslog.conf" file defines the location of most of the the system log files. Most of the file is commented out, but the rules section defines the relevant locations.

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

As you can see, the majority of logging is done to the "/var/log" directory, so this is likely to be the first place you will look in the event of a problem. Probably the most common location is the "/var/log/messages" file.

A number of application services log to different locations. For example, the HTTPD service will log errors to the "/etc/httpd/logs/error_log" file by default. In addition, each virtual host defined in the "/etc/httpd/conf/httpd.conf" file can specify its own logging destination.

Log Rotation

Build up of log information can present a problem, since eventually you would run out of disk space to hold them. To prevent this, Linux automatically performs weekly log rotation under the control of the "/etc/logrotate.conf" file. Each service (or group of services) that requires log rotation has an entry under the "/etc/logrotate.d" directory. These files define how the specific logs should be managed.
# ls -al /etc/logrotate.d
total 64
drwxr-xr-x.   2 root root  4096 Mar 22 10:14 .
drwxr-xr-x. 119 root root 12288 Mar 22 10:08 ..
-rw-r--r--.   1 root root    71 Dec  7 07:19 cups
-rw-r--r--.   1 root root   103 Dec  7 23:33 dracut
-rw-r--r--.   1 root root   185 Dec  7 20:31 httpd
-rw-r--r--.   1 root root   173 Dec  7 22:32 iscsiuiolog
-rw-r--r--.   1 root root   136 Jul  7  2010 ppp
-rw-r--r--.   1 root root   329 Jul  7  2010 psacct
-rw-r--r--.   1 root root   219 Dec  8 01:52 sssd
-rw-r--r--.   1 root root   210 Dec  8 01:11 syslog
-rw-r--r--.   1 root root    32 Apr  8  2010 up2date
-rw-r--r--.   1 root root    95 Mar  9  2011 vsftpd
-rw-r--r--.   1 root root   100 Dec  8 02:03 wpa_supplicant
-rw-r--r--.   1 root root   100 Oct 14 21:37 yum
#

The "syslog" file contains the log rotation instructions for the major system logs.

# cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    sharedscripts
    postrotate
	/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}
#

Analyzing Logs

Analyzing log files will typically start with identifying the relevant log file for your issue. If you don't know which log file to check, go to the "/var/log" directory and look at the files available. If nothing jumps out at you as looking relevant, check the "/var/log/messages" file as a starting point.

Once you have found a file to analyze, you can read it using an editor (like vi), or perform file processing operations on it to pull out relevant text.

# cat /var/log/messages | grep -i  error

The "tail -f" command is useful for watching continuous writes to log files over a period of time.

# tail -f /var/log/messages

For ideas about processing files, check out this article.

For more information see:

Hope this helps. Regards Tim...

Back to the Top.