Linux Logging

Linux logs are save usually in /var/log folder. Most linux distribution uses syslog, syslog-ng or rsyslog software for logging or sending them to remote servers. Analytics and visualisation software such a Elasticsearch and Kibana can be used for log inspection.

Usage by Distribution:

• Debian/Ubuntu: rsyslog
• RHEL/Fedora:

Standard logs:

• Debian/Ubuntu: /var/log/syslog
• RHEL/Fedora: /var/log/message

SSH sessions logging:

• Debian/Ubuntu: /var/log/auth.log
• RHEL/Fedora: /var/log/secure

Ubuntu:

• /var/log/kern.log

Rsyslog[edit]

Rsyslogd supports queued operations to handle offline outputs. Official documentation: https://www.rsyslog.com/doc/v8-stable/configuration/index.html

Log checkers[edit]

• logcheck https://salsa.debian.org/debian/logcheck
• logwatch https://git.code.sf.net/p/logwatch/git

Rsyslog Configuration[edit]

Default configuration files by Distribution:

• Debian: /etc/rsyslog.conf man rsyslog.conf: https://linux.die.net/man/5/rsyslog.conf
• Ubuntu: /etc/rsyslog.d/50-default.conf

Container logging: Docker[edit]

• docker logs command show docker logs.

See also https://stackoverflow.com/questions/30969435/where-is-the-docker-daemon-log/30970134#30970134 for further information about docker logs.

• docker-compose logs

Related terms[edit]

• Zabbix agent
• Cisco logging

Activities[edit]

• Understand container logging (part of CKAD certification)
• Read "The Twelve-Factor App": XI.: Logs https://12factor.net/logs
• Review linux Journalctl logs messages

See also[edit]

• ack, ag, grep, egrep, fgrep, agrep, ngrep, pgrep, awk, sed, strings, tr, tail, mtail, git grep, wc, uniq, LogQL, findstr (Windows), rg, git-grep, cut
• journald: journalctl journald.conf, journalctl --help, /dev/console
• Linux logging, Cisco IOS logging
• Audit: acct, atop, tripwire, AIDE, auditd, debsums, AWS Cloudtrail, logwatch, logcheck, Google Santa, Coguard
• Netflow for network logging
• MQ, PubSub, AMQP, NATS, Apache Kafka, IBM MQ, ActiveMQ, Fuse Message Broker, MQTT, NSQ, RabbitMQ, AWS Kinesis and NATS Messaging, ZeroMQ, Message-oriented middleware (MOM), Apache Pulsar, HiveMQ
• fluentd
• Elastic: ELK, Elasticsearch, Logstash, Kibana, Installation, AWS Elasticsearch, Elastic SIEM, Elastic Beats, metricbeat, filebeat, journalbeat, Elastisearch Service , Search guard, Elasticsearch logs, curator, ILM, Lumberjack protocol, aws_elasticsearch_domain, KQL, elasticsearch.yml, elasticsearch-plugin, elasticsearch-certutil, Elasticsearch release notes/changelog
• Standard streams: /dev/stdin, /dev/stdout, /dev/stderr, /dev/null, File descriptor, set -x, 2>&1, stdbuf
• Cisco IOS logging: show logging

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Original source: https://en.wikiversity.org/wiki/Linux/logging