Ubuntu server logs

By definition a logfile is a file:

• that records operating system events
• software events
• messages between different users of a communication software.

Logging is the act of keeping a log file and usually these log files have the .log extension, or log.1, log.2 and even log.1.gz, log.2.gz if they are compressed, but may be without the extension.

In Ubuntu log files are typically inside /var/log folder.

Installations and package log files

/var/log/apt folder has the history.log log file that keeps all the package installation and removal information. The other file in the same folder is term.log. You can control logging to the term.log via /etc/apt/apt.conf (Dir::Log::Terminal “”). term.log has terminal output when you worked with the apt command.

/var/log/dpkg.log is very interesting,  and related to the dpkg tool. The apt system depends on dpkg for package installation and removal.

Another Ubuntu folder /var/log/dist-upgrade has apt.log file containing logs during distribution upgrades.

/var/log/installer folder if there is one, will contain the log files created during the installation.

/var/log/alternatives.log is the history of all the alternatives set by various packages and their removal via the update-alternatives command.

System report log files

/var/log/apport.log saves information about crashes in your system and reporting them.

/var/log/auth.log includes information about the authentication activities such as when you authenticate as root user via sudo.

The other very important system log files are boot.log and kern.log (/var/log/boot.log and /var/log/kern.log)

boot.log induces system booting information, and kern.log has kernel info, warnings, and errors.

Logs without the .log extension

There are also log files that do not have the .log extension.

/var/log/udev for instance, brings details about hardware setup.

/var/log/dmesg has the logs from the dmesg command. You can use dmesg to see how the computer crashed, or to check how your firewall is doing. Reading /var/log/dmesg to check the time of the logs is probable not the best idea, since the format is human un-readable. For the human readable format you should use dmesg -T from the command line.

Interesting, dmesg does not read from /var/log/dmesg. It reads directly from the kernel ring buffer and gives you the most recent N messages. More precise in the end of the boot process, dmesg is called  to write the boot messages to /var/log/dmesg (with older versions of that file being rotated in the usual manner).

• /var/log/dmesg (live and uncompressed)
• /var/log/dmesg.0 (last session and uncompressed)
• /var/log/dmesg.1.gz
• /var/log/dmesg.2.gz
• /var/log/dmesg.3.gz
• /var/log/dmesg.4.gz

If you really like to read .gz files you can use zcat, ztop, zless, zmore commands.

(Please don’t confuse ztop with the famous zz-top band)

Once you have a syslog running (syslogd, rsyslogd, syslog-ng, etc.) it reads from the kernel buffer and writes to a file such as /var/log/kern.log. Assuming your system was able to write to disk and flush the disk buffers before it crashed, that is where you will find the dying screams of the kernel.

Web server logs files

The most important for the web server are access.log and error.log files. For my favorite web server Nginx, I use /var/log/nginx/access.log, and /var/log/nginx/error.log, but these are typically set in the Nginx configuration file.