Understanding Linux Inodes, File Operations, and System Logging

Linux File System

Inode Table Structure

Each inode record stores the following information: inode number, file type, permissions, UID, GID, link count, file size and timestamps, data block pointers, and other metadata.

ls -i: view inode number

stat: view device inode number

#stat shows device change time.

Three timestamps are recorded:

atime – last time the file was accessed.

mtime – last time the file content was modified (also updates ctime).

ctime – last time the file metadata (e.g., permissions) was changed.

The inode table also occupies disk space.

cp and inode

Allocate a free inode number and create a new entry in the inode table.

Create a directory entry linking the name to the inode.

Copy data to generate a new file.

rm and inode

Decrement the hard‑link count; the freed inode can be reused.

Place the data blocks on the free list.

Remove the directory entry.

Data is not immediately deleted; it is overwritten when another file reuses the blocks.

mv and inode

If the source and destination are on the same device, the inode table (except timestamps) and data block locations remain unchanged; only directory entries are updated.

Hard links vs. soft links

Hard links share the same inode as the original file; soft (symbolic) links have a different inode and store a path to the target.

Hard links cannot be created for directories, while soft links can. Deleting the original file reduces the hard‑link count but does not affect access; a soft link becomes broken.

Logs

Kernel and system logs are managed by the rsyslog service according to the main configuration file /etc/rsyslog.conf. Most server logs are stored under /var/log/.

Log entry format typically includes: timestamp, hostname, service/program name, and the message details.

Common log files

/var/log/messages – core system log with boot information, I/O, network errors, and user activity.

/var/log/cron – records cron job activity.

/var/log/dmesg – kernel boot messages (also viewable with the dmesg command).

/var/log/maillog – mail server logs.

/var/log/lastlog – binary file storing the last login time of each user (view with lastlog).

/var/log/secure – authentication and authorization events such as logins, sudo usage, and password changes.

/var/log/wtmp – binary record of all login/logout events and system reboots (view with last).

/var/log/ulmp – current logged‑in users (view with who, w, or users).

The Linux kernel assigns priority levels 0–7 (EMERG to DEBUG) to log messages.

User logs

Binary logs such as wtmp, btmp, and lastlog store login and logout events and must be read with dedicated commands.

who

Displays each currently logged‑in user, terminal type, login date, and remote host.

w

Shows each user and the processes they are running.

user

Simply outputs the current logged‑in user.

last

Lists records of successful logins.

lastb

Lists records of failed login attempts.

Experiment: Centralized Log Server

Configure rsyslog to listen on TCP port 514, uncomment the relevant lines in /etc/rsyslog.conf, restart the rsyslog service, and point client machines to send all logs to the server’s IP address.

After restarting the rsyslog service on both server and client, the server successfully receives logs from the client.