Essential Linux Log Files Every Sysadmin Should Monitor

In monitoring, the primary focus is on business‑critical metrics, but lower‑level system logs also play a vital role by surfacing key information that speeds up fault diagnosis. This guide lists common Linux log files, describes their purpose, and suggests command‑line techniques for inspection and alerting.

/var/log/syslog or /var/log/messages

These files capture a wide range of system messages from daemons, kernel, and other processes, serving as a comprehensive record of system activity. They are essential for diagnosing errors, warnings, and events such as out‑of‑memory (OOM) conditions that affect stability and performance.

/var/log/auth.log or /var/log/secure

Authentication logs record successful and failed login attempts, permission changes, and other identity‑related events. They are crucial for detecting unauthorized access. Example command to view failed logins: grep "Failed password" /var/log/auth.log Use the keyword Failed password to create alert rules.

/var/log/kern.log

Kern.log contains kernel messages, including hardware events and driver information, making it indispensable for diagnosing hardware‑related issues.

Kernel logs can also be inspected with: dmesg -T | grep -i error Use the keyword error for alerts.

/var/log/boot.log

Boot.log records events during system startup, helping identify failed services or delays. View it with: less /var/log/boot.log Search for lines containing “FAILED” or “ERROR”.

/var/log/dmesg

This log reflects the kernel ring buffer, providing details on hardware components, drivers, and initialization, useful for hardware diagnostics and performance monitoring.

/var/log/cron

Cron logs track scheduled task execution, aiding in troubleshooting task scheduling and execution problems.

/var/log/maillog or /var/log/mail.log

Mail logs capture email server activity, including delivery and errors, essential for ensuring reliable communication.

Monitor with: tail -f /var/log/maillog Search for “error” or “failed”.

/var/log/httpd/access.log or /var/log/apache2/access.log

Access logs record every request to an Apache web server, providing IP addresses, request types, and response codes. They are valuable for traffic analysis and security threat detection.

/var/log/httpd/error.log or /var/log/apache2/error.log

Error logs capture Apache configuration issues, application errors, and client‑related problems, crucial for maintaining web service reliability.

/var/log/NGINX/access.log

NGINX access logs contain similar request details as Apache, useful for understanding traffic patterns and identifying attacks such as DDoS.

Real‑time monitoring example: tail -f /var/log/NGINX/access.log Tools like goaccess can provide visual analysis.

/var/log/NGINX/error.log

This log records NGINX errors, including configuration and server issues, aiding in rapid problem resolution.

/var/log/mysql.log or /var/log/mysql/error.log

MySQL logs track database server activity and errors, essential for database management and performance troubleshooting.

/var/log/ufw.log

UFW logs record firewall allow/deny events, helping monitor network security and detect unauthorized access attempts.

Example: use tail to watch repeated denied IPs.

/var/log/audit/audit.log

Audit logs provide detailed records from the audit daemon for security auditing and compliance, offering a comprehensive view of system changes.

Search and report with:

aussearch

auReport

/var/log/daemon.log

Daemon logs capture messages from background services, useful for monitoring service health and performance.

/var/log/btmp

Btmp records failed login attempts, aiding in security monitoring. View with:

lastb

/var/log/wtmp

Wtmp logs record login and logout events, helping track user activity and detect anomalies. View with: last Regular review of these logs enhances system reliability, performance, and security.