Linux Logs
Log Locations
Section titled “Log Locations”Most logs live under /var/log/. Some systems use journalctl (systemd journal) instead of or alongside traditional log files.
System logs
Section titled “System logs”| Log file | Purpose |
|---|---|
/var/log/syslog | General system activity (Debian/Ubuntu) |
/var/log/messages | General system activity (RHEL/CentOS) |
/var/log/dmesg | Kernel ring buffer — hardware, drivers, boot messages |
/var/log/kern.log | Kernel messages |
/var/log/boot.log | Boot process output |
Authentication & security
Section titled “Authentication & security”| Log file | Purpose |
|---|---|
/var/log/auth.log | Authentication events — logins, sudo, SSH (Debian/Ubuntu) |
/var/log/secure | Same purpose (RHEL/CentOS) |
/var/log/faillog | Failed login attempts |
/var/log/lastlog | Last login for each user (binary — read with lastlog) |
/var/log/wtmp | Login/logout records (binary — read with last) |
/var/log/btmp | Failed login records (binary — read with lastb) |
Services
Section titled “Services”| Log file | Purpose |
|---|---|
/var/log/apache2/ | Apache access and error logs |
/var/log/nginx/ | Nginx access and error logs |
/var/log/mysql/ | MySQL/MariaDB logs |
/var/log/mail.log | Mail server logs |
/var/log/cron.log | Cron job execution (or grep CRON /var/log/syslog) |
/var/log/ufw.log | UFW firewall logs |
Package management
Section titled “Package management”| Log file | Purpose |
|---|---|
/var/log/dpkg.log | Package install/remove (Debian/Ubuntu) |
/var/log/yum.log | Package activity (RHEL/CentOS) |
/var/log/apt/ | APT activity logs |
Reading Logs
Section titled “Reading Logs”Tail and follow
Section titled “Tail and follow”tail -f /var/log/syslog # Follow in real-timetail -n 50 /var/log/auth.log # Last 50 linesGrep for patterns
Section titled “Grep for patterns”grep "Failed password" /var/log/auth.loggrep "sshd" /var/log/auth.log | tail -20grep -i "error" /var/log/syslog | grep "$(date +%b\ %d)"Binary logs
Section titled “Binary logs”last # Login history (reads /var/log/wtmp)last -n 10 # Last 10 loginslastb # Failed logins (reads /var/log/btmp, root only)lastlog # Last login per user (reads /var/log/lastlog)who # Currently logged-in usersw # Currently logged-in users with activityjournalctl (systemd)
Section titled “journalctl (systemd)”On systemd-based systems, journalctl queries the systemd journal — which aggregates logs from all services.
journalctl # All journal entriesjournalctl -f # Follow in real-timejournalctl -u sshd # Logs for a specific servicejournalctl -u nginx --since "1 hour ago"journalctl -p err # Only errors and abovejournalctl --since "2026-03-01" --until "2026-03-02"journalctl -b # Current boot onlyjournalctl -b -1 # Previous bootjournalctl _UID=1000 # Logs from a specific userjournalctl --disk-usage # How much space journal usesPriority levels: emerg, alert, crit, err, warning, notice, info, debug.
Logs for Security Auditing
Section titled “Logs for Security Auditing”Quick checks during recon or incident response:
# SSH brute force attemptsgrep "Failed password" /var/log/auth.log | wc -l
# Successful SSH loginsgrep "Accepted" /var/log/auth.log
# sudo usagegrep "sudo" /var/log/auth.log
# User creation/modificationgrep "useradd\|usermod\|passwd" /var/log/auth.log
# Cron activitygrep "CRON" /var/log/syslog
# Recently modified files in sensitive locationsfind /etc -mtime -1 -type f 2>/dev/nullLog Rotation
Section titled “Log Rotation”Logs are rotated (compressed, archived, eventually deleted) by logrotate:
cat /etc/logrotate.conf # Global configls /etc/logrotate.d/ # Per-service configsRotated logs are typically named syslog.1, syslog.2.gz, etc. Check rotated files too when investigating.