System Log Files in Ubuntu

May 19, 2010

As a system administrator, the system log files are some of your best friends. If you watch them carefully, you’ll often know in advance when something is wrong with the system, and you’ll be able to resolve most problems before they escalate.

Unfortunately, your ability to pay close attention to the log files dwindles with every server you’re tasked with administering, so administrators often use log-processing software that can be configured to alert them on certain events, or they write their own tools in languages such as Perl and Python.

Logs usually live in /var/log, and after your server runs for a while, you’ll notice there are a lot of increasingly older versions of the log files in that directory, many of them compressed with gzip (ending with the .gz filename extension).

Here are some log files of note:

/var/log/syslog: General system log

/var/log/auth.log: System authentication logs

/var/log/mail.log: System mail logs

/var/log/messages: General log messages

/var/log/dmesg: Kernel ring buffer messages, usually since system boot-up

Your Log Toolbox

When it comes to viewing logs, you should become familiar with a few tools of choice. The tail utility prints, by default, the last ten lines of a file, which makes it a neat tool to get an idea of what’s been happening in a given log file:

$ tail  /var log/syslog

With the -f parameter, tail launches into follow mode, which means it’ll open the file and keep showing you the changes on the screen as they’re happening. If you want to impress your friends with your new system administrator prowess, you can now easily recreate the Hollywood hacker stape: text furiously blazing across the screen.

Also invaluable are zgrep, zcat, and zless, which operate like their analogues that don’t begin with a z, but on gzip-compressed files. For instance, to get a list of lines in all your compressed logs that contain the word “warthog” regardless of case, you would issue the following command:

$  zgrep -i warthog /var/log/*.gz

Your toolbox for dealing with logs will grow with experience and based on your preferences, but to get an idea of what’s already out there, do an apt-cache search for “log files.”

%d bloggers like this: