Linux Logging

The Linux operating system has a built-in logging facility. The aim of logging is to log system events, in addition to application events and user events.

Why Log Events?

Having a log of events is very important for the system administrator, in order to troubleshoot errors, system faults and to understand activities performed by a user i.e. last login.

View Log Events

Log events are recorded in /var/logs

If you navigate to this folder using the CLI and ‘ls‘ you will see a number of log files.

messages – This is the generic log file for recording startup events, application events

dmesg – This records kernel messages, including boot up messages, hardware information

boot.log – This records the information that you see when Linux boots

cron – Lists cron job events

To view the above log files simply enter ‘more messages‘ to view the messages log.

Special note: dmesg is also a command i.e. typing ‘dmesg | grep -i usb‘ will return a selected list of event messages containing the keyword USB.

To search the messages for ‘usb’ try the following command:

tail -f messages | grep ‘usb’

What Next?

Familiarization with the following commands will help you navigate around the various log files:

less, more, cat, tail – use for viewing files at the CLI

grep – a very powerful utility that can be used for pattern matching/text searching

logger – enables the use to log events via the CLI

Way Forward

The above covers the basic principles of Linux logging. These log files underpin IT security monitoring capabilities and used on an enterprise scale. The next articles will cover the use of ‘syslog’ that can be used to harvest log files for intrusion detection.