cancel
Showing results for 
Search instead for 
Did you mean: 
Trevor
Starfighter Starfighter
Starfighter
  • 271 Views

Linux Logs

Log files in the /var/log directory


Linux logs are typically stored in the /var/log directory and
its subdirectories. Within the /var/log directory, logs are
organized into subdirectories based on their respective
categories or sources. For example:

- System Logs: System-related logs, such as kernel messages,
boot logs, and general system activity logs, are stored directly
in the /var/log directory.

- Application Logs: Logs generated by specific applications, such
as Apache web server logs (/var/log/apache2/), MySQL database
server logs (/var/log/mysql/), and mail server logs (/var/log/mail/),
are stored in separate subdirectories.

- Service Logs: Logs generated by system services, daemons, and
background processes are typically stored in subdirectories named
after the corresponding services. For example, logs for the SSH service
may be found in /var/log/sshd/.

- User Logs: Logs related to user activities, such as login/logout records
and command history, are stored in the /var/log/ directory or its
subdirectories, such as /var/log/auth.log.


On my Linux system, that is running RHEL 9.4, the following log
files appear directly (not in subdirectories) in the /var/log directory:


/var/log/btmp
- The BTMP file will reveal invalid login attempts, and where they originated.
- The data here shows not only the invalid login date, but if available, the
previous entry date, which can be used to help bracket times, in the event the
log file was tampered with to hide activity.
- The command utmpdump or lastb can be used to display the contents
of this file (e.g. lastb -f /var/log/btmp)

/var/log/cron
- Whenever the cron daemon (or anacron) starts a cron job,
it logs the information about the cron job in this file

DNF is the new package management tool (replacing yum), and
comes with 4 different log files:
/var/log/dnf.log
- The dnf. log file contains copies of the same information
about what package updates will be done, and were done,
as dnf itself prints interactively.
/var/log/hawkey.log
- only by setting the logfilelevel to 10.
- The purpose of the hawkey.log file is to record logging
information that can fill up the filesystem when updating
a system or synchronizing repositories using reposync.
/var/log/dnf.rpm.log
- The purpose of the dnf.rpm.log file is to record log information
for the DNF software package manager.
/var/log/dnf.librepo.log
- only by setting the logfilelevel to 10.
- The purpose of the dnf.librepo.log file is to record information
about the DNF package management tool for
Red Hat Enterprise Linux (RHEL)
- The dnf.librepo.log file records information about the DNF package
management tool, including usage patterns, activities, and operations.

/var/log/firewalld
- Used by firewalld daemon to store logs
- Debug messages are written to this file

/var/log/kdump.log
- The purpose of kdump.log is to store the contents of a
system's memory after a kernel crash, so that it can be
analyzed to determine the cause of the crash.

/var/log/lastlog
- Displays the recent login information for all the users.
- This is not an ascii file. You should use the lastlog command
to view the contents of this file.

/var/log/maillog
- Contains the log information from the mail server that
is running on the system. For example, sendmail logs
information to this file, about all the email items that
are sent.

/var/log/messages
- The main log file
- Contains global system messages, including the messages that are
logged during system startup.
- There are several things that are logged in /var/log/messages
including mail, cron, daemon, kern, auth, etc.

/var/log/secure
- Contains information related to authentication and authorization privileges.
For example, sshd logs all the messages here, including unsuccessful logins.

/var/log/spooler
- Usually contains nothing, except rare messages from USENET.
*** On my system, this is absolutely the case - the spooler log file has
been rotated 4 times, over a period of 5 months, without anything being
written to either file.

/var/log/tallylog
- The purpose of the file /var/log/tallylog is to keep
track of failed login attempts for programs that use
pam for authentication and have the pam_tally2.so
module configured.

/var/log/wtmp
- Contains login records.
- Using wtmp you can find out who is logged into the system.
- The who command uses this file to display the "who is logged
into the system" information.

The subdirectories on my RHEL 9.4 system, that exist in the /var/log
directory are:
⦁ /var/log/audit/
⦁ /var/log/chrony/
⦁ /var/log/httpd/
⦁ /var/log/private/
⦁ /var/log/qemu-ga/
⦁ /var/log/rhsm/
⦁ /var/log/sssd/
⦁ /var/log/tuned/


Note: There may be other log files on your Linux system - depending
on what you have installed and configured.

Trevor "Red Hat Evangelist" Chandler
Labels (3)
0 Replies
Join the discussion
You must log in to join this conversation.