Linux Topic
   >  Housekeeping Duties
   >  Auto Starting Applications
   >  Monitoring System Resources
   >  Controlling Processes
   >  Linux Log Files


Using the Linux Log Files

The Main Linux Log Files

The various processes running under Linux log various nuggets of information to a variety of log files, which all sit under the /var/log directory. The table below gives a brief description of what they are used for and what you can expect to find within them:

FileDescriptionUseful For
auth.logContains requests for privileged access such as sudo requests, Plugable Authentication Module (PAM) requests, remote machines attempting to access your PC (e.g. ssh), etcFinding out who/what is accessing your machine and installing things
boot.logMessages generated during the boot sequence in FedoraDiagnosing startup problems
cronContains logs from the cron schedulerFinding out if / why your scheduled jobs failed
cups/error.logContains problems encountered by CUPS (Common Unix Printing System)Diagnosing problems whilst trying to output to a printer
daemon.logThe log file for any processes running in the background (-i.e. jobs)Helpful if you have problems with Gnome (gdm daemon), mySQL (mysqli daemon), etc
dmesgContains messages output by the Linux kernel at boot timeDiagnosing boot problems or devices which fail to come up at boot time
kern.logContains all messages output by the Ubuntu Linux kernelDiagnosing problems with a new kernel installation (-e.g. Linux upgrade) or major system problems
mail.log / maillogContains messages output by sendmailTroubleshooting email problems
messagesThis is the default log for Fedora; under Ubuntu, it contains messages output by applications and other non-kernel accessoriesDiagnosing problems with applications or utilities, but note that many utilities (-e.g. Samba, Apache) log to their own files under /var/log
syslogThe Ubuntu system log fileThis is the default log for Ubuntu and normally contains the most information (-although it is often difficult to see the wood for the trees)
Xorg.0.logThe X-windows system log fileThis contains messages and errors setting up the graphical user interface (X-windows) that Gnome is built upon

Log Files Generations

Sometimes you don't realise you have a problem until some time after you begin to feel it's effects: in these cases, it's good to know that Linux keeps several generations of log files by default (-you can generally change the number of generations and how often they are rolled if you'd prefer). In this way, you can look back over several days/weeks to see if the same error has occurred before. When Linux creates a new logfile, it renames (rolls) the previous file to contain a numeric generation number at the end, such as:

<Log file name>.<Generation number>

Normally, after a specified number of generations (-or, over a given size), these generations may be gziped to compress them (.gz). Here are some examples of log file generations:

$ ls *.[0-9]*
alternatives.log.1   dmesg.4.gz       mysql.log.5.gz           syslog.6.gz
apport.log.1           dpkg.log.1         mysql.log.6.gz           syslog.7.gz
auth.log.1              jockey.log.1       mysql.log.7.gz           user.log.1
btmp.1.gz              kern.log.1          pm-powersave.log.1  wtmp.1.gz
daemon.log.1        lpr.log.1             pm-suspend.log.1     Xorg.0.log
debug.1                 messages.1      syslog.1                     Xorg.0.log.old
dmesg.0                mysql.log.1.gz   syslog.2.gz                Xorg.1.log
dmesg.1.gz           mysql.log.2.gz   syslog.3.gz
dmesg.2.gz           mysql.log.3.gz   syslog.4.gz
dmesg.3.gz           mysql.log.4.gz   syslog.5.gz

Accessing the Linux Log Files

As these logs are often large, I find the best way to access then is using grep, for example:

$ grep -i "fatal" /var/log/*

In this case, the PC being used was experiencing disc (SATA interface) problems and returned the following:

kern.log:Feb 13 13:52:38 fredb-desktop kernel: [ 7124.313951] ata3.00: irq_stat 0x08000000, interface fatal errorsyslog.1:Feb 13 13:52:38 fredb-desktop kernel: [ 7124.313951] ata3.00: irq_stat 0x08000000, interface fatal error

Note: that the error message was logged twice: to both the kern.log and syslog files.

Finding the Root Cause

This will always be the tricky part! Often, the log message will give you a clue to the source of the error (-i.e. in the example above, we can see it's an error from the SATA disc controller) but it will not be immediately obvious how to fix it. I would advise inexperienced Linux users to paste a section of the error message into their favourite search engine, to see what comes up: often there is plenty! If you don't find a match, try a smaller sample of the message until you do get something - then add in extra pieces to narrow down the search later:

Research using a Search Engine

HomeSite IndexDesktop GuideServer GuideHints and TipsHardware CornerVideo SectionContact Us

 sitelock verified Firefox Download Button