Today's article is quite simple...

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
12,639
Reaction score
11,586
Credits
104,131
Today, we simply cover one way to view some of the logs your system keeps. There are other logs but these are the nice and simple ones that you can use, like the kernel and system logs.

If that's something you're interested in doing:


See? Nice and easy...
 


I have been lambasted online for UUOC (check wikipedia), but my finger memory operates in just the way the article describes.
 
I have been lambasted online for UUOC (check wikipedia), but my finger memory operates in just the way the article describes.

That's because cat is awesome. I use cat fairly often.
 
See? Nice and easy...
Hey I like how you explain what various logs contain, but I would like to know if there are other types of system logs (ex. not those by user installed programs) that could be of interest to understand what the system does and what they mean.
 
Hey I like how you explain what various logs contain, but I would like to know if there are other types of system logs (ex. not those by user installed programs) that could be of interest to understand what the system does and what they mean.

That's not a simple task. For example...

Code:
 ls /var/log
anaconda           btmp-20240401    firewalld            lynis.log          ppp                spooler-20240331
audit              chrony           glusterfs            lynis-report.dat   private            spooler-20240407
BackupPC           cron             grafana              maillog            qemu-ga            spooler-20240414
blivet-gui         cron-20240324    hawkey.log           maillog-20240324   README             sssd
boot.log           cron-20240331    hawkey.log-20240324  maillog-20240331   samba              swtpm
boot.log-20240326  cron-20240407    hawkey.log-20240331  maillog-20240407   secure             tallylog
boot.log-20240328  cron-20240414    hawkey.log-20240407  maillog-20240414   secure-20240324    wtmp
boot.log-20240330  cups             hawkey.log-20240414  messages           secure-20240331    Xorg.0.log
boot.log-20240402  dnf.librepo.log  httpd                messages-20240324  secure-20240407    Xorg.0.log.old
boot.log-20240404  dnf.log          journal              messages-20240331  secure-20240414    Xorg.9.log
boot.log-20240410  dnf.log.1        lastlog              messages-20240407  speech-dispatcher
boot.log-20240413  dnf.log.2        libvirt              messages-20240414  spooler
btmp               dnf.rpm.log      lightdm              openvswitch        spooler-20240324

Debian/Ubuntu/Mint systems wouldn't have the dnf logs, as they don't use dnf.
Also drawing the line bewteen "system" logs, and "application" logs is sometimes difficult.

In my case, lynis is an app, grafana is an app, libvirt is an app, httpd is an app, those ones are obvious.
But BackupPC is that a system log or an application log? (I don't use TimeShift) is Xorg a system app or application?

But some are obvious. messages, wtmp, boot.log, journal, those are the obvious "system" ones.
There is a command called "dmesg" in almost all Linux distro's I have ever used.
It's just an aggregate of some of the system log output mentioned above.

You can use combinations of cat and grep to view the main system logs in messages.
boot.log obviously shows system boots, reboots, the time and who done it.
cron is similar, what cron jobs are running, which ones failed, what time did they fail?
wtmp is usually a binary file, don't use "cat" on that one. It'll confuse your terminal.
However you can use "strings" ( i.e. strings wtmp ) to view tohe contents of that file. That gives you who is logged in and when they logged in and out. There is a lot more, but that should get you started, and keep in mind, all distro's don't have the same log files, with the same names.
 
@dos2unix
Thanks, I see it takes philosophy to classify logs.
It's not a big problem, good thing is that all logs are in single directory so googling out what each of them means and then do classification according to priorities, needs or personal opinion.
 
That's not a simple task.

Then there are applications that will store their own logs in their own directories, in your home profile.
 
blogpost request: journalctl basics ;)

That's actually a great idea. There's a lot to the command so just the basics is a good idea.

There's enough meat on the bone for a couple of articles. If I tried to cover it all in one go, people's eyes would gloss over it and move on to something else.
 
Also drawing the line bewteen "system" logs, and "application" logs is sometimes difficult.

To quote an old friend and mentor in Linux Administration / Consulting: "you are doing it wrong" ;)

systemd-journal got you on this one. While all the logs land in one large file, you can filter journal logs by "fields".

In my case, lynis is an app, grafana is an app, libvirt is an app, httpd is an app, those ones are obvious.

All those should log to systemd journal and use unique fields (see below)

Take this example:

Code:
journalctl --file /var/log/journal/remote/all.journal -f _HOSTNAME=web-1.example.com _HOSTNAME=web-2.example.com _COMM=nginx --grep='404'

Forget the old logging system. Do everything with systemd and systemd's journals. Its much better, even if it looks a bit weird in the beginning. You will also be able to save MUCH more logs as the way it stores those is more efficient.

You can find usage examples for this in this section of our manual on using journalctl to filter logs, which is mostly written for people that search logs of their webapplications. Replace the /var/log/journal/remote/all.journal with /var/log/journal/mNS6Kecx81iWxwKCV4vlUTol6qnOIfrJ/system.journal - I described in this blogpost on systemd-journal-remote, which lets you centralize logfiles from multiple servers to one server what that fancy string (mNS6Kecx81iWxwKCV4vlUTol6qnOIfrJ) means, quote:

"By default these journal logs are stored directly on every server in a location like "/var/log/journal/8GYiL51Rgi2n5IyNFGqoGiBwaqQ4WRV0/system.journal", where "8GYiL51Rgi2n5IyNFGqoGiBwaqQ4WRV0" is the machine identifyer set in "/etc/machine-id"."
 
Last edited:

Members online


Top