User Tools

Site Tools


Log Files

Log files are a important resource on Linux systems if it comes to debugging or system analyzes.

View log files using any one of the following command:

tail /var/log/vsftpd.log
tail -n 100 /var/log/secure
tail -f /var/log/messages
less /var/log/httpd/access_log
vi /var/log/wtmp

Common Linux log files name and usage

/var/log/message General message and system related stuff
/var/log/auth.log Authentication logs
/var/log/kern.log Kernel logs
/var/log/cron.log Crond logs (cron job)
/var/log/maillog Mail server logs
/var/log/httpd/ Apache access and error logs directory
/var/log/boot.log System boot log
/var/log/mysqld.log MySQL database server log file
/var/log/secure Authentication log
/var/log/yum.log Yum log files
/var/log/wtmp Login records file


Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish.

Logwatch can be configured to send daily system reports (Red Hat standard setup). Usually configured under /etc/cron.daily/

Example usage

logwatch --print --service sshd --range today --detail 1  
logwatch --print --service http --range yesterday  --detail  high
logwatch  --mailto --service named --range all --detail  low

Managing log files with logrotate

The Linux utility logrotate renames and reuses system error log files on a periodic basis so that they don't occupy excessive disk space.

The /etc/logrotate.conf File

This is logrotate's general configuration file in which you can specify the frequency with which the files are reused.

  • You can specify either a weekly or daily rotation parameter. In the case below the weekly option is commented out with a #, allowing for daily updates.
  • The rotate parameter specifies the number of copies of log files logrotate will maintain. In the case below the 4 copy option is commented out with a #, while allowing 7 copies.
  • The create parameter creates a new log file after each rotation

Therefore, our sample configuration file will create daily archives of all the logfiles and store them for seven days. The files will have the following names with, logfile being current active version:


Sample Contents of /etc/logrotate.conf

# rotate log files weekly

# rotate log files daily

# keep 4 weeks worth of backlogs
#rotate 4

# keep 7 days worth of backlogs
rotate 7

# create new (empty) log files after rotating old ones

The /etc/logrotate.d Directory

Most Linux applications that use syslog will put an additional configuration file in this directory to specify the names of the log files to be rotated. It is a good practice to verify that all new applications that you want to use the syslog log have configuration files in this directory. Here are some sample files that define the specific files to be rotated for each application.

Here is an example of a custom file located in this directory that rotates files with the .tgz extension which are located in the /data/backups directory. The parameters in this file will override the global defaults in the /etc/logrotate.conf file. In this case, the rotated files won't be compressed, they'll be held for 30 days only if they are not empty, and they will be given file permissions of 600 for user root.

/data/backups/*.tgz {

   rotate 30
   create 0600 root root

Example config for apache

  • daily
    • rotate daily
  • missingok
    • no error if no log file found
  • rotate 14
    • keep logs for 14 days
  • notifempty
    • don't rotate empty files
  • compress
    • compress log files (gzip)
  • delaycompress
    • wait one day before compressing log files (don't compress yesterdays files)
  • sharedscripts
    • Run any given prerotate or postrotate script for each logfile individually
  • postrotate / endscript
    • Anything between these is executed after the rotation process. Opposite : prerotate
  • /sbin/service httpd reload > /dev/null 2>/dev/null || true
    • Reload apache service
/var/log/httpd/*log {
    rotate 14
        /sbin/service httpd reload > /dev/null 2>/dev/null || true
In Debian / Ubuntu systems the /etc/cron.daily/sysklogd script reads the /etc/rsyslog.conf file and rotates any log files it finds configured there. This eliminates the need to create log rotation configuration files for the common system log files in the /etc/logrotate.d directory. As the script resides in the /etc/cron.daily directory it automatically runs every 24 hours. In Fedora / Redhat systems this script is replaced by the /etc/cron.daily/logrotate daily script which does not use the contents of the syslog configuration file, relying mostly on the contents of the /etc/logrotate.d directory.
/srv/ · Last modified: 2009/08/15 12:14 (external edit)