Linux log analysis

Linux log analysis

Learning to view the log file is a very meaningful thing because the program running on the Linux system usually writes some system messages and error messages to the corresponding log. If there is a problem, we can quickly check the log to locate and resolve faults in a timely manner.

Linux log analysis

Three types of logs

  • Kernel and system logs: This kind of log data is managed by the system service rsyslog. According to the settings in its main configuration file /etc/rsyslog.conf, it decides where to record kernel messages and various system program messages. There are quite a few programs in the system that will manage their own log files by rsyslog, so the log records used by these programs have a similar format.
  • User log: This type of log data is used to record information about Linux operating system users logging in and out of the system, including the user name, logged-in terminal, log-in time, source host, and process operation in use.
  • Program log: Some applications will choose to manage a log file by themselves (instead of being managed by the rsyslog service), which is used to record various event information during the running of this program. Since these programs are only responsible for managing their own log files, the log recording format used by different programs may be quite different.
Common log files

/var/log/messages: Record Linux kernel messages and public log information of various applications

/var/log/cron: Record event information generated by crond scheduled tasks

/var/log/dmesg: Records various event information of the Linux operating system during the boot process

/var/log/maillog: Record email activity entering or sending out of the system

/var/log/lastlog: Log recent login events of each user

/var/log/secure: Record security event information related to user authentication

/var/log/wtmp: Log every user login, logout and system startup, and shutdown events

/var/log/btmp: Log failed and incorrect login attempts and verification events

Log priority

Level Word Explanation
0 EMERG Will cause the host system to be unavailable
1 ALERT Problems that must be taken immediately
2 CRIT More serious situation
3 ERR Operation error
4 WARNING Important events that may affect system functions and require users to be reminded
5 NOTICE Events that will not affect normal function, but need attention
6 INFO General information
7 DEBUG Program or system debugging information, etc.