Essential Linux Log Files Every Sysadmin Should Monitor

In monitoring, business‑level metrics are crucial, but low‑level system logs provide the focused information needed for fast fault diagnosis. Linux stores its core logs in /var/log, and each file serves a specific purpose.

1. /var/log/syslog or /var/log/messages

These files capture a wide range of system messages from daemons, processes, and the kernel, acting as a comprehensive activity record. They are vital for diagnosing errors, warnings, and events such as out‑of‑memory conditions.

2. /var/log/auth.log or /var/log/secure

Authentication logs record successful and failed login attempts, permission changes, and other auth‑related events, making them essential for detecting unauthorized access. Example: grep "Failed password" /var/log/auth.log can be used to locate failed logins and to configure alert keywords like "Failed password".

3. /var/log/kern.log

Kern.log contains kernel messages, including hardware events and driver output, which are critical for diagnosing hardware‑related problems. The dmesg command also reads the kernel ring buffer; for example: dmesg -T | grep -i error shows kernel errors and can be used as an alert keyword.

4. /var/log/boot.log

Boot.log records the services and their statuses during system startup, helping to identify failed services or delays. Use: less /var/log/boot.log and search for "FAILED" or "ERROR" to pinpoint boot issues.

5. /var/log/dmesg

Dmesg logs messages from the kernel ring buffer, providing details about hardware components, drivers, and kernel initialization. It is valuable for hardware diagnostics and performance monitoring.

6. /var/log/cron

Cron logs track the execution of scheduled jobs, assisting in diagnosing task scheduling and execution problems.

7. /var/log/maillog or /var/log/mail.log

Mail logs capture email server activity, including delivery and errors. Monitoring them ensures reliable communication. Example: tail -f /var/log/maillog to watch for lines containing "error" or "failed".

8. /var/log/httpd/access.log or /var/log/apache2/access.log

Access logs record every request to an Apache web server, including IP, request type, and response status, providing insight into traffic patterns and potential security threats.

9. /var/log/httpd/error.log or /var/log/apache2/error.log

Error logs capture Apache configuration problems, application errors, and client‑related issues, essential for diagnosing web server and application failures.

10. /var/log/nginx/access.log

NGINX access logs contain similar request details as Apache. Real‑time monitoring with: tail -f /var/log/nginx/access.log helps detect DDoS attacks or unauthorized access; tools like goaccess can visualize the data.

11. /var/log/nginx/error.log

Error logs for NGINX record configuration errors, server faults, and client issues, aiding in rapid problem resolution.

12. /var/log/mysql.log or /var/log/mysql/error.log

MySQL logs track database queries, connections, and performance problems, crucial for database administration and troubleshooting.

13. /var/log/ufw.log

UFW logs record firewall allow/deny events, providing visibility into network security and potential intrusion attempts.

14. /var/log/audit/audit.log

Audit logs contain detailed records from the audit daemon for security auditing and compliance. Tools such as aussearch and auReport can search and generate reports from this log.

15. /var/log/daemon.log

Daemon logs capture messages from background services, helping monitor the health and performance of system daemons.

16. /var/log/btmp

Btmp records failed login attempts, providing evidence of unauthorized access attempts. View them with:

lastb

17. /var/log/wtmp

Wtmp logs record login and logout events, useful for tracking user activity and detecting anomalies. View history with:

last