14 Critical Log Files You Need to Monitor for System Security

In the realm of Linux system administration, monitoring log files is essential for maintaining a healthy and secure environment.

Linux distributions generate a multitude of log files that capture crucial information about system events, errors, and user activities. These log files act as a silent witness, providing valuable insights into the inner workings of a Linux system.

In this article, we will delve into the details of some of the critical Linux log files, understanding the purpose and location of these log files, along with the insights they offer, equips system administrators with the necessary tools to proactively manage and secure their Linux infrastructure.

We will explore a range of log files, from system-wide logs to those specific to vital services such as web servers, databases, and authentication mechanisms. Each log file provides a unique glimpse into a specific aspect of the system, delivering a treasure trove of information for troubleshooting and performance optimization.

By proactively monitoring these log files, system administrators can take control of their Linux systems, preemptively address issues, and ensure a robust and secure infrastructure. So, let’s get started!

1. /var/log/messages
2. /var/log/syslog
3. /var/log/auth.log
4. /var/log/kern.log
5. /var/log/dmesg
6. /var/log/boot.log
7. /var/log/secure
8. /var/log/cron
9. /var/log/httpd/ or /var/log/apache2/
10. /var/log/mysql/ or /var/log/mariadb/
11. /var/log/maillog or /var/log/mail/
12. /var/log/audit/audit.log
13. /var/log/wtmp
14. /var/log/btmp

1. /var/log/messages

It includes system messages, including kernel events, daemon messages and user level processes.

What info gets logged here?

• Generic system activity logs
• Informational messages
• Non-critical system events.

Messages in this file can range from informational to warning and error messages.

How to use these logs?

Track all non-kernel boot errors, application-related service errors, and message logging for the boot process during the startup process of a system.

Example: Checking for system-wide errors and warnings.

sudo cat /var/log/messages | grep "error\|warning"

2. /var/log/syslog

It is another system log file that collects messages from different system services, daemons, and applications.

What info gets logged here:

Similar to /var/log/messages, it contains messages from various applications and services.

How to use these logs?

It serves as a central repository for system logs, useful for troubleshooting issues across different components.

Example: Monitoring system messages related to a specific service.

sudo tail -f /var/log/syslog | grep "service_name"

3. /var/log/auth.log

The log file is often used by system administrators and security professionals to monitor and troubleshoot authentication issues and track potential security breaches.

What info gets logged here:

• Authentication-related events including successful and failed login attempts
• User authentication activities

How to use these logs?

Monitor user login activities, detect unauthorized access attempts, and investigate authentication failures.

Example: Checking failed login attempts.

sudo cat /var/log/auth.log | grep "Failed"

4. /var/log/kern.log

/var/log/kern.log is is a system log file found in Linux-based operating systems, including Ubuntu and Debian.

What info gets logged here:

Kernel-related messages and events, including hardware or driver issues.

How to use these logs?

Diagnose kernel-level problems, identify hardware or driver failures, and analyze system crashes.

Example: Checking for kernel-related errors.

sudo cat /var/log/kern.log | grep "error"

5. /var/log/dmesg

The /var/log/dmesg command is useful while checking the system's boot log or diagnosing hardware-related issues and driver problems.

What info gets logged here:

• Messages generated by the kernel during the boot process
• Hardware detection
• System initialization.

How to use these logs?

Check for hardware compatibility, driver loading, and system boot issues.

Example: Checking hardware-related information from the last boot.

dmesg | less

6. /var/log/boot.log

/var/log/boot.log contains the log messages and information related to the system's boot process.

What info gets logged here:

Information about the system boot process, includes services start and fail time, initialization of system components, and any errors or warnings that occurred during the boot process.

How to use these logs?

Troubleshoot boot-related issues, and identify services causing problems during startup.

Example: Checking the boot log.

sudo cat /var/log/boot.log

7. /var/log/secure

This file contains sensitive information related to security events, access to it is typically restricted to the root user.

What info gets logged here:

Authentication and authorization events related to system security, such as SSH logins and sudo commands.

How to use these logs?

Monitor user authentication, track login attempts, identify security breaches, and audit system activities.

Example: Checking SSH login activity.

sudo cat /var/log/secure | grep "sshd"

8. /var/log/cron

It contains log messages related to the execution of scheduled tasks and cron jobs on the system.

What info gets logged here:

Information about cron jobs, which are scheduled tasks on the system.

How to use these logs?

Monitor scheduled tasks, and check for successful or failed execution of cron jobs.

Example: Checking cron job activity.

sudo cat /var/log/cron | grep "CRON"

9. /var/log/httpd/ or /var/log/apache2/

var/log/httpd/ and /var/log/apache2/ are commonly found on Linux-based systems running the Apache HTTP Server. The specific directory name depends on the Linux distribution being used, as different distributions may use different names for the Apache log directory.

What info gets logged here:

• Apache web server logs
• Access logs - Record details about HTTP requests, including accessed files, client IPs, and response codes.
• Error logs - Capture server errors, warnings, and debugging information.

How to use these logs?

Diagnose web server issues by analysing website traffic, detecting anomalies, and troubleshooting issues.

Example: Checking Apache access logs.

sudo tail -f /var/log/apache2/access.log

10. /var/log/mysql/ or /var/log/mariadb/

MySQL and MariaDB are popular relational database management systems, and the log directory may be different depending on whether you are using MySQL or MariaDB.

What info gets logged here:

• MySQL or MariaDB database logs.
• Error logs - Capture server errors, warnings, and debugging information.
• Query logs - Record executed SQL queries, including their execution time.

How to use these logs?

Debug database-related issues, monitor query performance, and identify errors or slow queries.

Example: Checking MySQL/MariaDB error log.

sudo tail -f /var/log/mysql/error.log

11. /var/log/maillog or /var/log/mail/

/var/log/maillog or /var/log/mail/ are both related to mail services on Linux-based systems, but they are associated with different email servers and configurations.

What info gets logged here:

Mail server logs, including send and receive activities, as well as various errors and warnings associated with the email system.

How to use these logs?

Troubleshoot email delivery issues, track mail server performance, and analyze mail server activity.

Example: Checking mail server logs.

sudo tail -f /var/log/maillog

12. /var/log/audit/audit.log

The Audit framework provides powerful auditing capabilities that allow monitoring and recording of security-related events on the system. This feature is often used for compliance purposes and security auditing.

What info gets logged here:

Logs generated by the Linux Audit framework.

How to use these logs?

Monitor and track system-level events, including file accesses, user actions, and security-related activities.

Example: Checking audit logs for unauthorized access attempts.

sudo cat /var/log/audit/audit.log | grep "failed"

13. /var/log/wtmp

The wtmp log file is commonly used for accounting purposes, allowing system administrators to track user activities and login times.

What info gets logged here:

Records of user login and logout activities.

How to use these logs?

Review user login history, identify unauthorized access, and investigate user sessions.

Example: Checking user login history.

last

By default, the "last" command shows a list of recent login sessions, including information about user logins, logouts, and the duration of each session.

14. /var/log/btmp

The btmp log file is commonly used for security auditing purposes, allowing system administrators to track unauthorized login attempts and potential security breaches.

What info gets logged here:

Records of failed login attempts.

How to use these logs?

Identify and investigate failed login attempts, and detect potential security threats.

Example: Checking failed login attempts.

lastb

How can Log Analysis tools help?

Log analysis tools play a crucial role in effectively monitoring and analyzing critical Linux log files. These tools offer various features and functionalities that significantly enhance the process of log analysis, making it more efficient and insightful for system administrators.

They offer the following features:-

• Centralized log collection - Collects logs from multiple sources and stores them in a centralized location. This makes it easier for admins to manage these logs.
• Real-time monitoring - Respond to issues right away when they occur, they also offer advanced search and filtering options for optimized monitoring experience.
• Dashboards and analytics - Keep track of what is happening, what has happened before, identify patterns and strategize ways to minimize those problems.
• Log Retention and archiving - Especially useful for companies that need to store data for longer periods of time.

Popular Log Analysis Tools

1. Atatus Logs Monitoring and Management is a comprehensive logging tool that can be integrated with other third-party extensions as well as set alerts to notify of any mishaps in the system.
2. ELK Stack allows you to centralize logs, parse and process them using Logstash, store them in Elasticsearch, and visualize and analyze the data using Kibana.
3. Splunk is a commercial log analysis tool that offers powerful features for collecting, indexing, searching, and visualizing log data from various sources.
4. Graylog is an open-source log management and analysis platform that provides centralized log storage, advanced search capabilities, and dashboards for visualizing log data.

Conclusion

Throughout this article, we have looked at different Linux log files and their specifications - as in what they really contain, where they store this information and how they can be useful to us.

It's important to note that the specific log files and their locations can vary depending on the Linux distribution, software installations, and system configurations.

Always refer to the documentation or manual pages provided by your distribution or software vendors for precise details about log files and their usage.

Atatus Logs Monitoring and Management

Atatus offers a Logs Monitoring solution which is delivered as a fully managed cloud service with minimal setup at any scale that requires no maintenance. It monitors logs from all of your systems and applications into a centralized and easy-to-navigate user interface, allowing you to troubleshoot faster.

We give a cost-effective, scalable method to centralized logging, so you can obtain total insight across your complex architecture. To cut through the noise and focus on the key events that matter, you can search the logs by hostname, service, source, messages, and more. When you can correlate log events with APM slow traces and errors, troubleshooting becomes easy.

Try your 14-day free trial of Atatus.