Linux log analysis

Learning to view the log file is a very meaningful thing because the program running on the Linux system usually writes some system messages and error messages to the corresponding log. If there is a problem, we can quickly check the log to locate and resolve faults in a timely manner.

Three types of logs

• Kernel and system logs: This kind of log data is managed by the system service rsyslog. According to the settings in its main configuration file /etc/rsyslog.conf, it decides where to record kernel messages and various system program messages. There are quite a few programs in the system that will manage their own log files by rsyslog, so the log records used by these programs have a similar format.
• User log: This type of log data is used to record information about Linux operating system users logging in and out of the system, including the user name, logged-in terminal, log-in time, source host, and process operation in use.
• Program log: Some applications will choose to manage a log file by themselves (instead of being managed by the rsyslog service), which is used to record various event information during the running of this program. Since these programs are only responsible for managing their own log files, the log recording format used by different programs may be quite different.

/var/log/messages: Record Linux kernel messages and public log information of various applications

/var/log/cron: Record event information generated by crond scheduled tasks

/var/log/dmesg: Records various event information of the Linux operating system during the boot process

/var/log/maillog: Record email activity entering or sending out of the system

/var/log/lastlog: Log recent login events of each user

/var/log/secure: Record security event information related to user authentication

/var/log/wtmp: Log every user login, logout and system startup, and shutdown events

/var/log/btmp: Log failed and incorrect login attempts and verification events

Log priority