Differences in /var/log/ log files
This is handled differently by different versions of Linux [ Ubuntu creates a lot more files than CentOS/Redhat for example ] and can be quite easily changed. (Look at /etc/syslog.conf or /etc/rsyslog.conf ).
In addition to different services (which can be logged to the same or different places) there are different levels of logging.
The rationale behind this flexibility must be to allow system administrators to get the right balance for their needs — for example if the system is a mail server, it may be useful to split off the incoming mail and outgoing mail from the general server logs to make tracking what is happening in certain cases easier.
Similarly if a particular application is not behaving as expected, cranking the debug information up might be desirable, but you don’t want this level of debug information mixed in with your logs.
Compounding this is that some programs (fail2ban for example) monitor logs for activity and act on it — having multiple logs provides for better responsiveness and easier configuration.
Log files from the system and various programs/services, especially login (/var/log/wtmp, which logs all logins and logouts into the system) and syslog (/var/log/messages, where all kernel and system program message are usually stored). Files in /var/log can often grow indefinitely, and may require cleaning at regular intervals. Something that is now normally managed via log rotation utilities such as ‘logrotate’. This utility also allows for the automatic rotation compression, removal and mailing of log files. Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size. Normally, logrotate runs as a daily cron job. This is a good place to start troubleshooting general technical problems.
- /var/log/messages – Contains global system messages, including the messages that are logged during system startup. There are several things that are logged in /var/log/messages including mail, cron, daemon, kern, auth, etc.
- /var/log/dmesg – Contains kernel ring buffer information. When the system boots up, it prints number of messages on the screen that displays information about the hardware devices that the kernel detects during boot process. These messages are available in kernel ring buffer and whenever the new message comes the old message gets overwritten. You can also view the content of this file using the dmesg command.
- /var/log/auth.log – Contains system authorization information, including user logins and authentication machinsm that were used.
- /var/log/boot.log – Contains information that are logged when the system boots
- /var/log/daemon.log – Contains information logged by the various background daemons that runs on the system
- /var/log/dpkg.log – Contains information that are logged when a package is installed or removed using dpkg command
- /var/log/kern.log – Contains information logged by the kernel. Helpful for you to troubleshoot a custom-built kernel. */var/log/lastlog – Displays the recent login information for all the u sers. This is not an ascii file. You should use lastlog command to view the content of this file.
- /var/log/mail.log – Contains the log information from the mail server that is running on the system. For example, sendmail logs information about all the sent items to this file
- /var/log/user.log – Contains information about all user level logs
- /var/log/Xorg.x.log – Log messages from the X
- /var/log/alternatives.log – Information by the update-alternatives are logged into this log file. On Ubuntu, update-alternatives maintains symbolic links determining default commands.
- /var/log/btmp – This file contains information about failed login attemps. Use the last command to view the btmp file. For example, “last -f /var/log/btmp | more”
- /var/log/cups – All printer and printing related log messages
- /var/log/anaconda.log – When you install Linux, all installation related messages are stored in this log file
- /var/log/yum.log – Contains information that are logged when a package is installed using yum
- /var/log/cron – Whenever cron daemon (or anacron) starts a cron job, it logs the information about the cron job in this file
- /var/log/secure – Contains information related to authentication and authorization privileges. For example, sshd logs all the messages here, including unsuccessful login.
- /var/log/wtmp or /var/log/utmp – Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
- /var/log/faillog – Contains user failed login attemps. Use faillog command to display the content of this file. Apart from the above log files, /var/log directory may also contain the following sub-directories depending on the application that is running on your system.
- /var/log/httpd/ (or) /var/log/apache2 – Contains the apache web server access_log and error_log
- /var/log/lighttpd/ – Contains light HTTPD access_log and error_log
- /var/log/conman/ – Log files for ConMan client. conman connects remote consoles that are managed by conmand daemon.
- /var/log/mail/ – This subdirectory contains additional logs from your mail server. For example, sendmail stores the collected mail statistics in /var/log/mail/statistics file
- /var/log/prelink/ – prelink program modifies shared libraries and linked binaries to speed up the startup process. /var/log/prelink/prelink.log contains the information about the .so file that was modified by the prelink.
- /var/log/audit/ – Contains logs information stored by the Linux audit daemon (auditd).
- /var/log/setroubleshoot/ – SELinux uses setroubleshootd (SE Trouble Shoot Daemon) to notify about issues in the security context of files, and logs those information in this log file.
- /var/log/samba/ – Contains log information stored by samba, which is used to connect Windows to Linux.
- /var/log/sa/ – Contains the daily sar files that are collected by the sysstat package.
- /var/log/sssd/ – Use by system security services daemon that manage access to remote
The general convention is:
- syslog: Everything
- messages: General events, no debug stuff, excludes some errors
- dmesg: Kernel messages, reset on every boot.
What is var log messages (/var/log/messages)
Operating system log data, and Linux in particular, contain a plethora of diagnostics regarding the machine. Linux logs everything from kernel operations to users’ operations, enabling you to view practically every activity taken on the servers. Whenever you administer any Linux computers, you must be aware of where the log files are usually stored and what they include. Several log files seem to be peculiar to deployment, and this folder can indeed hold programs like samba, apache, Lighttpd, and mail. We’ll go through what Linux log files are actually, in which directory you can locate them, as well as how to analyze them in this part. Take a while whenever your system is functioning properly to study and comprehend the contents of different log files. This will assist you whenever there is a catastrophe, and you need to dig through the log data to figure out what’s wrong.
Var/Log/Messages:
This folder contains overall system notifications and messages recorded at system boot. The folder /var/log/messages contain a variety of messages, such as mail, kern, auth, cron, daemon, and so on. Linux log data is a useful debugging utility whenever you run into problems with the Linux operating system, programs, or server. They give a chronology of the Linux system, apps, and framework actions.
Linux logs are simple documents that may be located in the /var/log folder and subdirectories. The “.conf” file that comes with it governs logging. When problems emerge, the very first thing an owner should do is examine log files. Log records are written to several destinations for difficulties with desktop apps. Whether or not the program enables customized log setup, the developer will determine which application software publishes logs.
For instance, Crash reports are written to ‘/.chrome/Crash Reports’ in Chrome. All Linux has log data: the OS, core, package controllers, boot routines, Xorg, Apache, MySQL, etc. Unfortunately, the Ubuntu 20.04 system doesn’t record its log in /var/log/messages folder. However, it saves the record in the/var/log/Syslog directory. Therefore we will look to search for the logs in the /var/log/messages folder of Ubuntu 20.04 first. Firstly, you need to open the command-line shell via the shortcut key “Ctrl+Alt+T”. After opening it, we will be utilizing the “tail” command with the “-f” flag to check the logs in the “/var/log/messages”. In return, we have got the error that there is no such directory.
In this post, we’ll look at Linux system logs in particular. First and foremost, use the cd instruction to go to this directory “/var/log” as shown in the image. Then, list all its files and folders using the simple list “ls” command. In return, we can see the displayed files and folders residing in this folder. These files and folders contain log records of our system.
As mentioned earlier, most of our system logs are saved to the “Syslog” file of the “/var/log” directory. So, we will first begin with displaying all the log records in the “Syslog” folder. For this, we must have sudo privileges at our end. The command is started with the keyword “sudo” followed by the keyword “cat” to open the directory “Syslog” as shown in the attached image. The output displays all the system logs from start to end in your shell terminal. We have only displayed a few logs in our photos to save space.
Let’s see another file containing logs for our system in the “/var/log” folder. This time we have chosen the “dmesg” files of this folder. It shows simple logs and system records in it as below.
Each record in the log files is of a specific type, i.e., error failed, warn, etc. Let’s specify our sudo command a little with the “dmesg” keyword. We have utilized the “grep” package here to list the records of this log file, specifically of the “error” type. You can see the instruction and its output below. The command has listed and highlighted the logs of only the “error” type.
You can also mention more than one specification for a log record to display on the shell. So, within the same “dmesg” command, we have been using the “error”, “warn”, and “failed” parameters with grep to display all three types of log records. In return, we have got many records for it, as shown in the attached picture.
To do a generic search, you can just utilize the keyword “more” instead of “grep” as below.
One can clean the log when the machine is in a testing regime or maybe if you do not bother what was in it. However, if one of your applications generates a failure, the failure logs seem to be the only location where you can get a detailed explanation. If you’re positive that neither of the records is of any value to you, you may always delete them.
There is another way to see the system logs if you don’t want to use the shell console of Ubuntu 20.04. There is an application named “Logs” in Ubuntu 20.04 that can allow you to see different types of logs. You have to open it through the search bar of your Ubuntu system’s activity area. Search for it as shown and tap on it to open.
Here you have all the types of logs in your Ubuntu 20.04 system Logs application. You can get the information regarding important logs, all logs at one place, application logs, system logs, security and hardware logs
Conclusion:
This article has covered the explanation of answering: what is var/log/messages in Ubuntu 20.04 system. We have discussed different types of commands to list all the generic logs, specific logs, i.e., warn, failed, error. We have done it for specific folders in var/log/ folder. We have also discussed the way to check logs through the Logs application of Ubuntu 20.04.
About the author
Omar Farooq
Hello Readers, I am Omar and I have been writing technical articles from last decade. You can check out my writing pieces.