Getting Started with Linux Log Files

This article covers logs, where they are stored, and which Linux distributions use the log. Logs are an essential part of managing your server, and most all applications will come with their own logging as well.

Prerequisites:

• Server running a Linux operating system.

How do I view log files on Linux?

Login to your server as root or a sudo user using SSH or the console. Most logs are kept in the same location, so we’ll navigate there by going to /var/log. We’ll navigate there by using the following command:

# cd /var/log

Now that we’ve switched to the /var/log directory, we’ll list the files within it using the following command:

# ls

Within this directory, we’ll find a number of different log files. Below is a list that gives the name of the log file, or the subdirectory which is resides in by default, which Linux operating system it is found on, and what is logged to it.

last -f /var/log/btmp |more
  • /var/log/alternatives.log (Ubuntu®, Debian®)

    Information by the update-alternatives are logged into this log file.

  • /var/log/apache2/access.log (Ubuntu, Debian)

    Stores requests, such as GET and POST requests, that are processed by the Apache® service.

  • /var/log/apache2/error.log (Ubuntu, Debian)

    Stores Apache errors and diagnostic information found while serving requests.

  • /var/log/audit/audit.log

    Stores information from the Linux audit daemon auditd. This log contains information about the files on which users have performed reads or writes.

  • /var/log/auth.log

    Contains authorization information, such as user logins and what the authentication method was.

  • /var/log/boot

    Contains information about the boot process once the kernel has loaded. This includes information such as system file checks, mounting a file system, starting a firewall, starting network devices, and starting services.

  • /var/log/btmp

    Contains failed login attempts. You’ll have to use the last command to view this log.

  • /var/log/cron

    Stores information from crondaemon and anachron after they start a cron job.

  • /var/log/dmesg

    Contains kernel related information about hardware and devices it detects during the boot process. This file is overwritten upon each reboot.

  • /var/log/dpkg.log (Ubuntu, Debian)

    Stores information that is logged when a new package is installed or removed by using the dpkg command.

  • /var/log/faillog

    Contains failed user login attempts. Use the command faillog to retrieve the contents.

  • /var/log/kern.log (Ubuntu, Debian, and can be configured for Centos® and RHEL®)

    Contains log details from the kernel during system bootup, as well as any kernel errors or messages sent from the kernel.

  • /var/log/lastlog

    Displays recent login information.

  • /var/log/maillog.log (Centos, RHEL)

    Stores information from the mail server that is running on your system, such as Postfix logging information.

  • /var/log/mail.log (Ubuntu, Debian)

    Stores information from the mail server that is running on your system, similar to what maillog.log does for the Centos and RHEL flavors.

  • /var/log/mail

    This is a subfolder that contains any additional logs created for use by your mail server.

  • /var/log/messages (Centos/RHEL)

    Contains global system messages, including the messages logged during boot.

  • /var/log/sa

    Contains daily sar files collected by the sysstat package.

  • /var/log/secure (Centos/RHEL)

    Stores information related to authentication and authorization privileges. For example, sshd logs information here, including unsuccessful attempts.

  • var/log/wtmp or /var/log/utmp

    Contains login records and shows who is currently logged into the system.  The command ‘who‘ uses this file to display the information.

  • /var/log/yum.log (Centos/RHEL)

    Stores information logged when a package is installed or removed.

How To Add a Swap Partition

Swap is space on a disk that is set aside for use as additional virtual memory. When a Linux server runs out of memory, the kernel has the ability to move inactive processes over to swap space to make room for active processes. Swap space can take the form of either a dedicated swap partition or a swap file, but in the case of most virtual Cloud Servers, a swap partition is not present so the only option is to create a swap file. The performance of a swap file is comparable to the performance of a swap partition, but using a swap file makes it easier to control the swap size without having to repartition the volume.

This article will walk you through the steps you’d need to take in order to create a swap file on a Linux server, and to modify the ‘swappiness’ value.

Prerequisites:

• Cloud Server running a Linux OS

Step-by-Step

1) Create the file that you’ll use for swap by running the following command:

# sudo fallocate -l 1G /mnt/1GB.swap

In this case we are created a 1GB swap file, but adjust this level to your own server’s needs. If you receive a message saying ‘fallocate failed: Operation not supported’ try running the following instead:

# sudo dd if=/dev/zero of=/mnt/1GB.swap bs=1024 count=1048576

2) Format the swap file by running the following command:

# sudo mkswap /mnt/1GB.swap

3) Now you need to add the file to the system as swap, which allows your system to begin utilizing it. Do this with the following command:

# sudo swapon /mnt/1GB.swap

4) In order to make the change permanent, and prevent having to do this after each reboot, open up the /etc/fstab file in your text editor of choice and add the following to the end of the file and save it:

/mnt/1GB.swap  none  swap  sw 0  0

5) To adjust the ‘swappiness’ value, open the file /etc/sysctl.conf in your text editor of choice and add this at the end:

vm.swappiness=10

We recommend starting with a lower value, like 10, and increasing it as you believe is necessary. The highest value you can set is 100, and most systems with swap partitions will default to 60. If you set the vm.swappiness to 0, it will only use the swap file if the system runs out of memory entirely, while higher values allow your system to swap idle processes out which may improve overall system performance.

6) Ensure that the swap file was created by entering the following command:

# sudo swapon -s

7) Reboot your server, to ensure the changes you made are still in effect. If it comes back up and the ‘sudo swapon -s’ command returns the same output, it should be working. The final step is to adjust permissions to the file to allow only the root user to access it:

# chmod 600 /mnt/1GB.swap

NOTE: Should you later need to remove the swap file, use the following command:

# sudo swapoff /mnt/1GB.swap

Be sure to remove the entry from the /etc/fstab file, or simply comment out the line you added by inserting a # sign in front of it.

Lastly, remove the actual swap file with this command:

# sudo rm /mnt/1GB.swap

Conclusion:

This article has taken you the process of creating a swap file, activating, and configuring swap space on your Linux server.

Troubleshooting Disk Usage in Linux

At times, your server’s disk(s) may begin to fill up with various files and folders. Rather than continue to scale the server up to make room, it may be best to take a look at what’s using up so much space in your filesystem. This quick guide will help walk you through some of the steps and commands you can use to troubleshoot and reclaim some of your storage space. This article deals with Linux servers specifically.

Prerequisites:
• Server running Linux
• SSH access to the server


Step-by-step

1) Log in to the device via SSH.

2) Determine the amount of disk space available.

To determine disk space, run the following commands:

# df -h

This command will output the different devices that make up your server’s filesystem, and provide the percent utilized, as well as the total storage space, space used, and space free.

# du -h

This command is used to estimate file space usage. For example you could run du -h /etc to list the space used by the contents of the /etc directory. It’s possible to string out more complex commands which can sort and make determining what’s using your disk easier as well. Checking the ‘man’ pages for the du command will help you identify flags which can be added on to help. An example would be:

du -hs * | sort -rh | head -10

In this command we are asking du to do the following:
du = Estimate file space usage.
-h = Flag to make output in human readable format (ex, MB/GB/K).
-S = Do not include size of subdirectories.
-s = Display only a total for each argument.
sort = sort lines of text files.
-r = Reverse the result of comparisons.
-h = Compare the human readable numbers (ex., 1MB, 2K).
head -10 = Output the first 10 entries collected and sorted.

As you become more familiar with the flags, you can adjust and change the commands to your needs.

3) Clean up the drive.

Be careful when removing files and folders in Linux. Unlike Windows, they do not enter a Recycle bin where you can restore them, and using the wrong flag in some cases will result in all files and subfolders in a directory being removed.

To remove specific files, use the following command where $filename is the name of the file you want removed:

# rm $filename

You can delete multiple files at once by separating the filenames with a space. For example:

# rm $filename1 $filename2 $filename3

To forcibly remove files without any sort of prompt, add the ‘-f’ flag to the rm command. For example:

# rm -f $filename

To remove an empty directory, use the rmdir command. Example:

# rmdir $directoryname

If the directory is not empty, but you want it removed along with all of it’s subfolders and file, add the -r flag.

# rmdir -r $directoryname

Again, if you wish to avoid being prompted, you can add the -f flag. Example:

# rmdir -rf $directoryname

Once you’ve made the deletions of files/folders no longer needed, check your disk space utilization again with the ‘df -h’ command.

Troubleshooting Disk Usage in Windows

At times, your server’s disk(s) may begin to fill up with various files and folders. Rather than continue to scale the server up to make room, it may be best to take a look at what’s using up so much space in your filesystem. This quick guide will help walk you through some of the steps and commands you can use to troubleshoot and reclaim some of your storage space. This article deals with Windows servers specifically.

Prerequisites:
• Server running Windows OS.
• Access to the server.


Step-by-step

1) Log in to the device via RDP.

2) Determine the amount of disk space available.

To determine disk space, run the following steps:

• Open the Windows File Explorer and click This PC.
• Under Devices and drives, make note of the amount of free space.

3) Clean up the drive.

You can either use the Windows File Explorer interface to delete files and folders, or utilize the Windows command prompt.

• Change directory to C:temp. If the directory exists, delete all files and folders that are older than 7 days.
• Change directory to C:DRV. If the directory exists, delete all files and folders.
• Change directory to C:WINDOWSInstaller$PatchCache$UnManaged. If the directory exists, delete all files and folders that are older than 60 days.
• Change directory to C:WINDOWSInstaller$PatchCache$Managed. If the directory exists, delete all files and folders that are older than 60 days.
• Change directory to C:WindowsMinidump. If the directory exists, delete all *.dmp files that are older than 60 days.
• Change directory to C:ProgramDataMicrosoftWindowsWERReportQueue. If the directory exists, delete all files and folders.
• Empty the Recycle Bin by right clicking on the desktop icon and clicking on Empty.

4) Verify disk space after the cleanup by opening the Windows File Explorer and click This PC.

There are other third party tools that will analyze your server’s filesystem and provide easy to read breakdowns of what’s utilizing your server’s disk space. Some examples are:

• WizTree
• WinDirStat
• SpaceSniffer

For support in using these products, it’s best to check documentation on their respective sites and forums.