Guest blog post by Tavis J. Hampton
If you happen to find yourself in a position where you need to manage a dedicated server, you will find that security, maintenance, and troubleshooting will be regular parts of your job. For Linux and other Unix-like operating systems, the main method for managing the server is SSH (Secure Shell).
While there are plenty web-based control panels that can make some mundane tasks easier, SSH gives you remote access directly to the server’s command-line interface. Nothing is more powerful, and with great power, comes great responsibility. One of your responsibilities is to make sure your server is running smoothly, and one way to accomplish that is to monitor server logs.
Common log files
On a Linux server, the primary directory for storing log files is usually /var/log. Here are a list of some of the common logs you will find:
- /var/log/syslog– Kernel messages and system alerts
- /var/log/dmesg– Boot time information and kernel events
- /var/log/maillog– Mail server information and errors
- /var/log/httpd/access_log – Web server access information for every website. (may be found in other locations, such as /var/log/apache2/access.log)
- /var/log/httpd/error_log – Web server errors. This includes information such as the IP address of the user agent, time of error, etc.
- /var/log/secure – Authentication messages and errors (A good place to look for possible security breaches)
- /var/log/mysql/error.log – Any errors reported by MySQL database server
In addition to /var/log, some software packages may store their log files in their own directories. If you are unsure, you should check the software’s documentation.
According to the server gurus at the UK managed server company 34SP.com, a service called “logrotate” controls the archiving of log files so that your logs will not become too large. Periodically, logrotate will compress the current log file , change its name, and then create a new empty log file in its place. Because of this, you may have several entries in /var/log for one log, but the archives will have additional extensions (i.e. mail.log, mail.log.1, mail.log.2.gz, mail.log.3.gz).
Viewing log files
Linux logs are stored in plain text files. This means that any text reader or editor can view them. Since log files can be very long, Linux provides two tools that you can use to scroll through a log file, just like reading a document on your computer.
Less – The “less” command allows you to scroll through a log line-by-line using your keyboard’s arrow keys, PageUp, PageDown, Home, End, and the mouse wheel. This gives you the ability to read text files in a natural-feeling way. To view the email log, for example, you would type from the command line:
When you are finished viewing the log file, press the letter “q” to quit.
More – More takes a different approach to viewing a file. It is useful if you intend to read something from beginning to end, and it gives you a percentage in the bottom left that tells you how much of the document you have read. You can advance the document line-by-line with the Enter key or press the Space bar to advance one page at a time. Press “q” to quit.
Tail – In some situations, you only need to see the latest few log entries or monitor log entries as they appear. The “tail” command gives you that power. To view the latest few lines of the dmesg log, for example, you would type:
To monitor the log and view lines as they appear, type:
tail -f /var/log/dmesg
Searching log files
There are a few ways to search files in Linux, but none are more powerful than grep. With grep, you can search for very specific words, lines, characters, or various combinations within your log files. This is particularly useful if, for example, you have a very busy web server and only need to see a specific error, time, IP address, or other limited scope of information.
As an example, if you wanted to search the “dmesg” log for all instances of the word “link”, you would type the following:
cat /var/log/dmesg | grep link
Log file monitoring
Since you cannot always be logged into your server, monitoring it 24 hours a day, you will need to set up some type of monitoring system. There are plenty of free scripts that will monitor system services and alert you whenever one of them goes down, but most of them do not look at log files for errors.
One tool you can use for log monitoring is called logwatch. With it, your system can be setup to create log reports and email the results to you at periodic intervals. There are also third-party services available that may provide log file analysis, reporting, and alerts.
Linux log files are very important and deserve your attention when you want to solve a problem, and it is a good practice to check them even when everything appears to be fine. By being proactive and diligent, you can prevent future issues and use the information you gather to make your server more secure and efficient.
Tavis J. Hampton is a librarian and writer with a decade of experience in information technology, web hosting, and Linux system administration. He currently works for LanternTorch.Net, which offers writing, editing, tech training, and information architecture services.