Log files are files that contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks.
Log files can be very useful when trying to troubleshoot a problem with the system such as trying to load a kernel driver or when looking for unauthorized login attempts to the system. This chapter discusses where to find log files, how to view log files, and what to look for in log files.
Some log files are controlled by a daemon called
rsyslogd daemon is an enhanced replacement for sysklogd, and provides extended filtering, encryption protected relaying of messages, various configuration options, input and output modules, support for transportation via the
UDP protocols. Note that rsyslog is compatible with sysklogd.
Log files can also be managed by the
daemon – a component of
daemon captures Syslog messages, kernel log messages, initial RAM disk and early boot messages as well as messages written to standard output and standard error output of all services, indexes them and makes this available to the user. The native journal file format, which is a structured and indexed binary file, improves searching and provides faster operation, and it also stores meta data information like time stamps or user IDs. Log files produced by
are by default not persistent, log files are stored only in memory or a small ring-buffer in the
directory. The amount of logged data depends on free memory, when you reach the capacity limit, the oldest entries are deleted. However, this setting can be altered – see Section 21.10.5, “Enabling Persistent Storage”
. For more information on Journal see Section 21.10, “Using the Journal”
By default, these two logging tools coexist on your system. The
daemon is the primary tool for troubleshooting. It also provides additional data necessary for creating structured log messages. Data acquired by
is forwarded into the
socket that may be used by
to process the data further. However, rsyslog
does the actual integration by default via the
input module, thus avoiding the aforementioned socket. You can also transfer data in the opposite direction, from
with use of
module. See Section 21.7, “Interaction of Rsyslog and Journal”
for further information. The integration enables maintaining text-based logs in a consistent format to ensure compatibility with possible applications or configurations dependent on
. Also, you can maintain rsyslog messages in a structured format (see Section 21.8, “Structured Logging with Rsyslog”
A list of log files maintained by
rsyslogd can be found in the
/etc/rsyslog.conf configuration file. Most log files are located in the
/var/log/ directory. Some applications such as
samba have a directory within
/var/log/ for their log files.
You may notice multiple files in the
/var/log/ directory with numbers after them (for example,
cron-20100906). These numbers represent a time stamp that has been added to a rotated log file. Log files are rotated so their file sizes do not become too large. The
logrotate package contains a cron task that automatically rotates log files according to the
/etc/logrotate.conf configuration file and the configuration files in the