Using the Linux Log Files
The various processes running under Linux log various nuggets of information to a variety of log files, which all sit under the /var/log directory. The table below gives a brief description of what they are used for and what you can expect to find within them:
| File | Description | Useful For |
|---|
| auth.log | Contains requests for privileged access such as sudo requests, Plugable Authentication Module (PAM) requests, remote machines attempting to access your PC (e.g. ssh), etc | Finding out who/what is accessing your machine and installing things |
| boot.log | Messages generated during the boot sequence in Fedora | Diagnosing startup problems |
| cron | Contains logs from the cron scheduler | Finding out if / why your scheduled jobs failed |
| cups/error.log | Contains problems encountered by CUPS (Common Unix Printing System) | Diagnosing problems whilst trying to output to a printer |
| daemon.log | The log file for any processes running in the background (-i.e. jobs) | Helpful if you have problems with Gnome (gdm daemon), mySQL (mysqli daemon), etc |
| dmesg | Contains messages output by the Linux kernel at boot time | Diagnosing boot problems or devices which fail to come up at boot time |
| kern.log | Contains all messages output by the Ubuntu Linux kernel | Diagnosing problems with a new kernel installation (-e.g. Linux upgrade) or major system problems |
| mail.log / maillog | Contains messages output by sendmail | Troubleshooting email problems |
| messages | This is the default log for Fedora; under Ubuntu, it contains messages output by applications and other non-kernel accessories | Diagnosing problems with applications or utilities, but note that many utilities (-e.g. Samba, Apache) log to their own files under /var/log |
| syslog | The Ubuntu system log file | This is the default log for Ubuntu and normally contains the most information (-although it is often difficult to see the wood for the trees) |
| Xorg.0.log | The X-windows system log file | This contains messages and errors setting up the graphical user interface (X-windows) that Gnome is built upon |
Sometimes you don't realise you have a problem until some time after you begin to feel it's effects: in these cases, it's good to know that Linux keeps several generations of log files by default (-you can generally change the number of generations and how often they are rolled if you'd prefer). In this way, you can look back over several days/weeks to see if the same error has occurred before. When Linux creates a new logfile, it renames (rolls) the previous file to contain a numeric generation number at the end, such as:
<Log file name>.<Generation number>
Normally, after a specified number of generations (-or, over a given size), these generations may be gziped to compress them (.gz). Here are some examples of log file generations:
$ ls *.[0-9]*
alternatives.log.1 dmesg.4.gz mysql.log.5.gz syslog.6.gz
apport.log.1 dpkg.log.1 mysql.log.6.gz syslog.7.gz
auth.log.1 jockey.log.1 mysql.log.7.gz user.log.1
btmp.1.gz kern.log.1 pm-powersave.log.1 wtmp.1.gz
daemon.log.1 lpr.log.1 pm-suspend.log.1 Xorg.0.log
debug.1 messages.1 syslog.1 Xorg.0.log.old
dmesg.0 mysql.log.1.gz syslog.2.gz Xorg.1.log
dmesg.1.gz mysql.log.2.gz syslog.3.gz
dmesg.2.gz mysql.log.3.gz syslog.4.gz
dmesg.3.gz mysql.log.4.gz syslog.5.gz
As these logs are often large, I find the best way to access then is using grep, for example:
$ grep -i "fatal" /var/log/*
In this case, the PC being used was experiencing disc (SATA interface) problems and returned the following:
kern.log:Feb 13 13:52:38 fredb-desktop kernel: [ 7124.313951] ata3.00: irq_stat 0x08000000, interface fatal errorsyslog.1:Feb 13 13:52:38 fredb-desktop kernel: [ 7124.313951] ata3.00: irq_stat 0x08000000, interface fatal error
Note: that the error message was logged twice: to both the kern.log and syslog files.
This will always be the tricky part! Often, the log message will give you a clue to the source of the error (-i.e. in the example above, we can see it's an error from the SATA disc controller) but it will not be immediately obvious how to fix it. I would advise inexperienced Linux users to paste a section of the error message into their favourite search engine, to see what comes up: often there is plenty! If you don't find a match, try a smaller sample of the message until you do get something - then add in extra pieces to narrow down the search later:
