Working with logs
IBM e-business architect Chris Walden is your guide through a nine-part developerWorks series on moving your operational skills from a Windows to a Linux environment. In this part, we track, manipulate, and rotate logs for security and informational purposes.
One of the keys to success in managing any system is to know what is happening on the system. Linux offers exceptional logging, and the detail in the logs is configurable.
Linux logs are in plain text, so you can search and read them without having to use special tools. You can also write scripts that scan through logs and perform automatic functions based on the contents.
Linux logs are contained in the /var/log directory. There are several log files that are maintained by the system, but other services and programs may put their log files here too. Most logs are only readable by root, but that can be changed by simply changing the access rights to the file.
The messages log is the core system log file. It contains the boot messages when the system came up as well as other status messages as the system runs. Errors with IO, networking, and other general system errors are reported in this file. Other information, such as when someone becomes root, is listed here as well. If services are running, such as DHCP servers, you can watch the action in the messages file. /var/log/messages is generally your first place to look when you are troubleshooting.
This log shows the results of the last execution of the Xfree86 Xwindows server. If you are having problems getting the graphical mode to come up, this file will usually provide answers as to what is failing.
There will be other log files in the /var/log directory depending on your distribution of Linux and the services and applications that you are running. For example, there may be logs associated with running a mail server, resource sharing, automatic tasks, and others.
You will see some files in the /var/log directory that end with a number.
These are rotated archives. Log files can get rather large and cumbersome.
Linux provides a command to rotate these logs so that you don't have
current log information mixed with older irrelevant data. Generally
logrotate runs automatically on a timed basis, but it can also be run
manually. When executed, logrotate will take the current version of the
log files and add a ".1" to the end of the filename. Then any other
previously rotated files are sequenced with ".2," ".3," etc. The larger
the number after a filename, the older the log is.
You can configure the automatic behavior for
logrotate by editing the
/etc/logrotate.conf file. Learn the full details about
Any text tool can be used to work with log files. Here are some tools that are particularly helpful.
To get a quick view of the boot log for the last system boot, use the command
dmesg. It generally puts out a lot of
text, so you will generally want to pipe it through a viewer.
dmesg | more
The command above will show the boot messages one screen page at a time.
Sometimes you want to keep an eye on a log file as activity is occurring.
Tail is designed to show the last few lines of a text file. By adding the
tail will continue to show
new output as it occurs.
tail -f /var/log/messages
The command above will show the last ten lines of /var/log/messages, then
continue to monitor the file and output any new activity. To stop the
tail -f command, use Ctrl + C to break the
works the same as the DOS version. You can point it to a file, or
pipe output through it to see the information one screen page at a
time. For example, to show the contents of the Xfree86 startup log file
one screen page at a time:
Use "q" or [Ctrl]-C to stop looking at a file.
Less is another text viewer, but it allows you to scroll through a file and search for information.
The command above will display the contents of the /var/log/messages
file. Use "q" to quit viewing the file. Use "h" to
get help on using
You may want to put your own messages into the log file. You could just append the log message to the correct text file, but you would have to duplicate the log information style. Also, you would have to change your code if the logging system had been customized. The
logger command lets you send your own messages to the
logging facility. Use it in scripts to provide messages about execution