If you manage any Linux machines, it is essential that you know where the log files are located, and what is contained in them. Such files are usually in /var/log. Logging is controlled by the associated .conf file.
Some log files are distribution specific and this directory can also contain applications such as samba, apache, lighttpd, mail etc.
From a security perspective, here are 5 groups of files which are essential. Many other files are generated and will be important for system administration and troubleshooting.
1. The main log file
a) /var/log/messages â€“ Contains global system messages, including the messages that are logged during system startup. There are several things that are logged in /var/log/messages including mail, cron, daemon, kern, auth, etc.
2. Access and authentication
a) /var/log/auth.log â€“ Contains system authorization information, including user logins and authentication machinsm that were used.
b) /var/log/lastlog â€“ Displays the recent login information for all the users. This is not an ascii file. You should use lastlog command to view the content of this file.
c) /var/log/btmp â€“ This file contains information about failed login attemps. Use the last command to view the btmp file. For example, â€ślast -f /var/log/btmp | moreâ€ť
d) /var/log/wtmp or /var/log/utmp â€“ Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
e) /var/log/faillog â€“ Contains user failed login attemps. Use faillog command to display the content of this file.
f) /var/log/secure â€“ Contains information related to authentication and authorization privileges. For example, sshd logs all the messages here, including unsuccessful login.
3. Package install/uninstall
a) /var/log/dpkg.log â€“ Contains information that are logged when a package is installed or removed using dpkg command
b) /var/log/yum.log â€“ Contains information that are logged when a package is installed using yum
a) /var/log/daemon.log â€“ Contains information logged by the various background daemons that runs on the system
b) /var/log/cups â€“ All printer and printing related log messages
c) /var/log/cron â€“ Whenever cron daemon (or anacron) starts a cron job, it logs the information about the cron job in this file
b) /var/log/maillog /var/log/mail.log â€“ Contains the log information from the mail server that is running on the system. For example, sendmail logs information about all the sent items to this file
b) /var/log/Xorg.x.log â€“ Log messages from the XWindows system