Linux System Logs

Synopsis

The page contains patterns examples of Linux System Logs such as authorization mechanisms, system daemons, system messages, and the all-encompassing system log itself,  syslog.
The Linux system provides vital information using various system log files. These log files are typically plain ASCII text in  a standard log file format, and most of them sit in the traditional system log sub-directory /var/log.
System logs deal primarily with the functioning of the Linux system, not necessarily with additional applications added by  users.

Examples

Example 1 - Authorization Log:

The Authorization Log tracks usage of authorization systems, the mechanisms for authorizing users which prompt for user  passwords, such as the Plug-gable Authentication Module (PAM) system, the sudo command, remote logins to sshd and so  on. The Authorization Log file may be accessed at /var/log/auth.log. This log is useful for learning about user logins  and usage of the sudo command.

Authorization Log Sample: 

Dec 22 06:25:09 pizza1 CRON[27336]: pam_unix(cron:session): session closed for user root
Dec 22 06:25:23 pizza1 sshd[32006]: Accepted password for xplg from 10.0.0.124 port 62880 ssh2
Dec 22 06:25:23 pizza1 sshd[32006]: pam_unix(sshd:session): session opened for user xplg by (uid=0)

Authorization Log Pattern: 

{date:Date,locale=en,MMM dd HH:mm:ss} {text:Host} {text:Process Name}[{number:Process Id}]: {text:Message}

Example 2 - System Log:

The System log typically contains the greatest deal of information by default about your Linux system. It is located at  /var/log/syslog, and may contain information other logs do not. You should consult the System Log when you can't locate the desired  log information in another log. 

System Log Sample:

Jan  6 06:35:01 pizza1 CRON[29271]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)

Jan  6 06:39:05 pizza1 postfix/sendmail[4506]: fatal: open /etc/postfix/main.cf: No such file or directory

Jan  6 06:39:05 pizza1 CRON[14731]: (root) MAIL (mailed 1 byte of output; but got status 0x004b, #012)

System Log Pattern: 

{date:Date,locale=en,MMM dd HH:mm:ss} {text:Host} {text:Process Name}[{number:Process Id}]: {text:Message}

Example 3 - Messages Log:

The Messages log contains informational messages from applications, and system facilities, and is available at  /var/log/messages. This log is useful for examining message output from applications, and system facilities including mail, cron, daemon, kern, auth, etc.

Messages Log Sample:

Aug 17 04:02:05 serverlinux syslog-ng[23102]: Configuration reload request received, reloading configuration;

Aug 17 04:02:06 serverlinux syslog-ng[23102]: Syslog connection failed; fd='14', server='AF_INET(10.0.0.101:2000)', error='No route to host (113)', time_reopen='60'

Aug 17 04:02:22 serverlinux sshd(pam_unix)[27814]: session opened for user root by root(uid=0)

Messages Log Pattern: 

{date:Date,locale=en,MMM dd HH:mm:ss} {text:Host} {text:Process Name}[{number:Process Id}]: {text:Message}

Links

Template applying instructions:

  1. Download the templates - Linux System - Templates

  2. Import the templates (see Importing a Template)

  3. Apply the templates on multiple logs (see Applying a Template on Multiple Logs)