Getting Started with Linux Log Files

This article covers logs, where they are stored, and which Linux distributions use the log. Logs are an essential part of managing your server, and most all applications will come with their own logging as well.


• Server running a Linux operating system.

How do I view log files on Linux?

Login to your server as root or a sudo user using SSH or the console. Most logs are kept in the same location, so we’ll navigate there by going to /var/log. We’ll navigate there by using the following command:

# cd /var/log

Now that we’ve switched to the /var/log directory, we’ll list the files within it using the following command:

# ls

Within this directory, we’ll find a number of different log files. Below is a list that gives the name of the log file, or the subdirectory which is resides in by default, which Linux operating system it is found on, and what is logged to it.

last -f /var/log/btmp |more
  • /var/log/alternatives.log (Ubuntu®, Debian®)

    Information by the update-alternatives are logged into this log file.

  • /var/log/apache2/access.log (Ubuntu, Debian)

    Stores requests, such as GET and POST requests, that are processed by the Apache® service.

  • /var/log/apache2/error.log (Ubuntu, Debian)

    Stores Apache errors and diagnostic information found while serving requests.

  • /var/log/audit/audit.log

    Stores information from the Linux audit daemon auditd. This log contains information about the files on which users have performed reads or writes.

  • /var/log/auth.log

    Contains authorization information, such as user logins and what the authentication method was.

  • /var/log/boot

    Contains information about the boot process once the kernel has loaded. This includes information such as system file checks, mounting a file system, starting a firewall, starting network devices, and starting services.

  • /var/log/btmp

    Contains failed login attempts. You’ll have to use the last command to view this log.

  • /var/log/cron

    Stores information from crondaemon and anachron after they start a cron job.

  • /var/log/dmesg

    Contains kernel related information about hardware and devices it detects during the boot process. This file is overwritten upon each reboot.

  • /var/log/dpkg.log (Ubuntu, Debian)

    Stores information that is logged when a new package is installed or removed by using the dpkg command.

  • /var/log/faillog

    Contains failed user login attempts. Use the command faillog to retrieve the contents.

  • /var/log/kern.log (Ubuntu, Debian, and can be configured for Centos® and RHEL®)

    Contains log details from the kernel during system bootup, as well as any kernel errors or messages sent from the kernel.

  • /var/log/lastlog

    Displays recent login information.

  • /var/log/maillog.log (Centos, RHEL)

    Stores information from the mail server that is running on your system, such as Postfix logging information.

  • /var/log/mail.log (Ubuntu, Debian)

    Stores information from the mail server that is running on your system, similar to what maillog.log does for the Centos and RHEL flavors.

  • /var/log/mail

    This is a subfolder that contains any additional logs created for use by your mail server.

  • /var/log/messages (Centos/RHEL)

    Contains global system messages, including the messages logged during boot.

  • /var/log/sa

    Contains daily sar files collected by the sysstat package.

  • /var/log/secure (Centos/RHEL)

    Stores information related to authentication and authorization privileges. For example, sshd logs information here, including unsuccessful attempts.

  • var/log/wtmp or /var/log/utmp

    Contains login records and shows who is currently logged into the system.  The command ‘who‘ uses this file to display the information.

  • /var/log/yum.log (Centos/RHEL)

    Stores information logged when a package is installed or removed.

Leave a Reply

Your email address will not be published. Required fields are marked *