Linux System Logs

Logs are an important part of debugging or finding issues. Logs are files that contain information about an application, group of applications, or a whole operating system. Understanding the location and use of each log on Linux can help users find and identify errors.

Most logs are under /var/log/. Such logs contain global or system information. The logs in a user's home folder pertain to a user's applications or account. In a command-line, a log can be viewed by typing "less LOG", where "LOG" is a log's path. The "less" command allows users to scroll through the log while the "cat" command does not. To view compressed logs (which are older), use the "zless" instead of "less". If you are not a fan of "less", then you may want to use "more" and "zmore", both of which still allow users to scroll up and down.

In the previous paragraph, I had mentioned compressed logs. Well, some logs are so important (like /var/log/dmesg) that older logs are compressed using Gzip and kept for future reference. "logrotate" is the software that compresses old logs and makes a fresh log for current use. The configuration file for logrotate is /etc/logrotate.conf. With Root privileges, users can change logrotate's behavior. The configuration file contains very easy to understand comments, so users can open the file for the first time and know the purpose of each line. /etc/logrotate.d is a directory containing config files that inform logrotate how to manage specific logs. So, the /etc/logrotate.d/dpkg config file tells logrotate how to manage /var/log/dpkg.log. The Cron Tables initiate logrotate according to the schedule declared in the crontabs.

The syslog daemon (syslogd) is the process that receives messages from software and places it in the appropriate log. Most programs do not write their own logs (except for the logs in the user's home).

A computer's performance can be enhanced by reducing the amount of logs made. If a Linux kernel is designed to produce less or no logs, than the system will operate faster. Also, users can tell syslogd to not log so much data/activity. However, users will then have issues finding and identifying errors. Also, developers will not be able to easily debug software. When reducing or increasing logging, keep in mind the benefits and drawbacks. The configuration files for syslog are located in /etc/rsyslog.conf and /etc/rsyslog.d/50-default.conf.

The system or global logs are stored under /var/log/. Some logs are grouped into folders while others are not. Most of the logs have self-explanatory names. For example, the apt logs pertain to the APT system and cups logs are related to the CUPS system. Here is a list of some important logs in /var/logs/ and their use.

• alternatives.log - The "update-alternatives" software logs what symbolic links it makes for commands and their binary file's path.
• apport.log - When applications crash, Apport keeps a record of the crash in this log.
• auth.log - All user logins or any kind of authentication process is logged here.
• boot.log - The messages that are printed to the screen while the system boots are placed here. On many systems, users see a splash screen when their system boots up. Press "Esc" to clear the splash screen and show the messages when the system is booting and the splash screen is seen.
• btmp - Failed login attempts are listed in here.
• dmesg.log - The contents of this log are the exact same as the output of the "dmesg" command. These messages are kernel messages that are generated as the system boots. This is important for checking hardware issues or figuring out why a system will not boot.
• dpkg.log - The removal and installation of packages are mentioned here.
• kern.log - After bootup, the kernel continues to produce messages as needed, but does so into this log.
• lastlog - To see information on the last time users were logged in, view this log via the "lastlog" command.
• pm-powersave.log - Power management activities are logged here.
• pm-suspend.log - When a system is put into suspend mode, all activities associated with that are logged.
• syslog - Major system events are logged in here.
• udev - Udev stores information here. Udev is the device manager, so the information seen in the udev log is about devices and loaded modules.
• Xorg.log - Information on Xorg is stored here.

Some applications store logs in a user's home folder. Such logs are more important to that specific user rather than the whole system.

~/.xsession-errors - Xsession manages the startup of a GUI. Errors in this process are logged here. This log can be disabled by commenting out this line "ERRFILE=$HOME/.xsession-errors" from /etc/X11/Xsession with Root privileges.

Most of the user logs are under ~/.cache/ (like ~/.cache/upstart/hud.log) and ~/.config/ (like ~/.config/tomboy/tomboy.log). The logs for Firefox are stored in ~/.mozilla/ and Thunderbird logs are in ~/.thunderbird/Crash Reports/. To find the logs for a specific application, look through the ~/.cache/, ~/.config/, and ~/.local/share/ folders.

Understanding logs can help admins find problems and manage the space usage of logs. Logs are important for fixing and finding errors. Remembering the use and location of each log can greatly benefit the debugging process.

Further Reading

• Logrotate - https://dcjtech.info/topic/logrotate/
• Linux System Logs - https://dcjtech.info/topic/linux-system-logs/
• Linux Administration (Reading Guide) - https://dcjtech.info/topic/linux-administration/