Understanding and referring to the various logs is an invaluable resource for trouble shooting and, more important, keeping the reins of your computer.
Linux logs are located in the /var/log directory and are plain ASCII files that can be handled virtually by any text reader out there. The majority of logs are created by syslogd and klogd daemons while installed programs (like SAMBA) can create their specific logs.
syslogd deamon deals with system messages and other messages like those coming from applications. However Kernel messages can’t use the syslog API. klogd manages messages coming from the kernel itself. Both of them can have their behavior configured by the parameters contained respectively in the files /etc/syslog.conf and /etc/sysconfig/syslog and, for klogd through a series of switches and commands in the console. The configuration of these can be tricky and it’s a subject which needs a full long article to be covered. However, in general, by configuring /etc/syslog.conf one can control the messages flow and specify custom reception points for various class of messages. For a example a powerful security procedure could be to relay critical messages from the kernel to an external host which will in turn manage those messages according to its syslogd policy. This way would prevent a possible attacker from covering its tracks by deleting parts in the logs. A further improvement could also be to write a script to parse the two versions of the same logs (locally and remote) to check for discrepancies (sign of possible breaks). If you’re eager to delve a bit more into syslogd and its configuration you can have a look to the manual pages in bash (man syslogd and man syslogd.conf).
As I said above there are mainly two groups of logs: system logs and application logs.
As the name suggests, system logs concern themselves with the operating system functioning. Let’s see the most important ones.
Messages Log (/var/log/messages)
This log is a crucial one because it records status messages from the running system. General system errors like those related to I/O and networking are written to the messages log, as well as other interesting messages like users becoming root, running services, etc. In case of trouble shooting this could be the first place to get information before delving into more specific logs.
Authorization Log (/var/log/auth.log) This log keep track of all the systems which deal with authorizing users to restricted access to files or functions. By reading this log you can see things like the user login and usage of sudo to gain super user authorizations, and remote logins via ssh.
Daemon Log (/var/log/daemon.log)This log records information regarding daemons running on the system. A daemon, or service, is a program which is not under direct control of a user but instead runs in background to perform certain tasks.
Debug Log (/var/log/debug)
Read this log to check debug messages from the operating system and applications
Kernel Log (/var/log/kern.log)
This log contains messages concerning the Linux kernel which are routed via klogd daemon. These messages are very interesting for example because they’re helpful for trouble shooting but also to analyze them for kernel tuning or customization.
Applications logs
Some installed applications can provide their specific logs. These are usually stored at /var/log followed by the application sub directory. An example is the X11 server log which contains the messages coming from the X11 Windowing Server. If you experience crashes or problems with X, have a look to this log to see error messages.
As I mentioned before, certain logs are not normally meant for humans to read them but machines. For example, and always located under var/log/, wtmp log shows the information regarding the user(s) logged into the system, failog log displays login failures and lastlog records the logins in a list.
Sometimes you will notice log files, within the /log/ folder, ending with something like ‘.0,.1, .2, and so on’ and ‘.gz’. This has to do with the concept of rotation. The logrotate command is in charge of renaming on log file at a certain point in time, and start a new log. This is of course to rationalize the log process and avoid having logs which are heavy and difficult to interpret. After all the log concept is like that of a diary and so it’s perfectly sensible to split it on a time basis. So, logrotate will first put numbers to the end of the log file according to its age (lower numbers mean older logs) and then, after more time, bundle a number of files and compress them for example with gzip. The logrotate.conf file configures the logrotate behavior. If you want to do so you can read more information on the manual with man logrotate.
Now that we have said some things about the logging system and the logs, let’s spend some words about the tools which helps viewing the content of the log.
As we said at the beginning, logs are files containing standard ASCII information, thus any program capable of displaying text is good. You can use any word processor program, your favorite internet browser or a programming language IDE.
Anyway, it’s sometimes quicker to read the logs within the console. Here below a list of some useful commands to perform this task. For a complete overview and an explanation of the various switches and options for each program please refer to the manual typing man followed by the program name in the console.
More
Use the program more to display the content of one log one page at a time – more /var/log/messages
Less
less is a console pager program similar to more but with the additional capability of navigate the pages forward and backward. It’s also faster because it doesn’t load all the file at one time.
- less /var/log/daemon.log
Tail
This console program is quite interesting because by displaying the last 10 lines of a document it enables the user to keep track of the new records in real time. For example with the command tail /var/log/messages you will see a static list of the last ten entries in the log, but by adding the –f switch, thus tail –f /var/log/messages the list will update in real time each time a new entry is recorded into the log.
Grep
The grep command is designed to search a log file, which is very useful if you must quickly locate certain entries in a large log. For example you can search the “kern” word in a log by typing grep “kern” syslog.conf. If the entries are a lot, you can use | to pipe them through less thus having them paged. To to this type grep “kern” syslog.conf | less
I think that by now you have a simple (a by any means not exhaustive) overview of the logging system on Linux. I personally think that given the importance the information technology have in our lives nowadays, it’s really a valuable effort to delve a bit into the functioning of the machines we use to carry on our job activities and, with more and more frequency and permeation, various aspect of our social life. Linux operating system, throughout all its ecosystem of distributions, gives a hand to the users providing them with all the instruments to use their computer on an informed basis.
Live long and prosper.
Image by zak_greant licensed with this license
No comments:
Post a Comment