Linux Log Planning
Updated date: 2024-10-05
Linux (Ubuntu)
Create perssitent log location
$ sudo lsblk
...
nvme0n1 259:0 0 931.5G 0 disk
├─nvme0n1p1 259:1 0 1G 0 part /boot/efi
├─nvme0n1p2 259:2 0 2G 0 part /boot
└─nvme0n1p3 259:3 0 928.5G 0 part
└─ubuntu--vg-ubuntu--lv 253:0 0 514.2G 0 lvm /
...
$ sudo lvcreate --name log-data -L 20G ubuntu-vg
$ sudo mkfs.ext4 /dev/ubuntu-vg/log-data
Log list
Under /var/log directory, there are several logs that are generated by the system. The following logs are generated by default:
-
alternatives.log
-
apport.log
-
apt
- history.log
- term.log
- eipp.log
-
auth.log
-
bootstrap.log
-
btmp
-
cloud-init.log
- cloud-init-output.log
-
dist-upgrade
-
dmesg
-
dpkg.log
-
faillog
-
fontconfig.log
-
installer
├── installer │ ├── autoinstall-user-data │ ├── block │ │ ├── discover.log │ │ └── probe-data.json │ ├── casper-md5check.json │ ├── cloud-init.log │ ├── cloud-init-output.log │ ├── curtin-install │ │ ├── subiquity-curthooks.conf │ │ ├── subiquity-extract.conf │ │ ├── subiquity-initial.conf │ │ └── subiquity-partitioning.conf │ ├── curtin-install.log │ ├── device-map.json │ ├── installer-journal.txt │ ├── media-info │ ├── subiquity-client-debug.log -> subiquity-client-debug.log.2228 │ ├── subiquity-client-debug.log.2228 │ ├── subiquity-client-info.log -> subiquity-client-info.log.2228 │ ├── subiquity-client-info.log.2228 │ ├── subiquity-curtin-apt.conf │ ├── subiquity-server-debug.log -> subiquity-server-debug.log.2279 │ ├── subiquity-server-debug.log.2279 │ ├── subiquity-server-info.log -> subiquity-server-info.log.2279 │ └── subiquity-server-info.log.2279 -
journal
├── journal │ └── 8edc12d327884a8aa622079b8e51f363 │ ├── system@000614e14f54095d-2ebc1542d7dd4629.journal~ │ ├── system@1942332f0a5b4216a2ca2719bce460c6-0000000000000001-000614e14f51bfbb.journal │ ├── system@1942332f0a5b4216a2ca2719bce460c6-00000000000370a3-0006156118a21385.journal │ ├── system@1942332f0a5b4216a2ca2719bce460c6-0000000000038bf4-0006161ff450f589.journal │ ├── system@1942332f0a5b4216a2ca2719bce460c6-000000000003a54a-0006169bede36779.journal │ ├── system@1942332f0a5b4216a2ca2719bce460c6-0000000000043cad-000619007441d9a8.journal │ ├── system@1942332f0a5b4216a2ca2719bce460c6-000000000004842e-00061a865093a4a7.journal │ ├── system@1942332f0a5b4216a2ca2719bce460c6-000000000004f375-00061ceaa6799dab.journal │ ├── system@1942332f0a5b4216a2ca2719bce460c6-00000000000534fc-00061f4f0bcfaa44.journal │ ├── system@1942332f0a5b4216a2ca2719bce460c6-000000000005760b-000621b3869e020c.journal │ ├── system@c0af3cc3105449dd8e0793f9f188c237-0000000000000001-000611c89149cd08.journal │ ├── system@c0af3cc3105449dd8e0793f9f188c237-000000000000083a-000611c28de9d2c0.journal │ ├── system.journal │ ├── user-1000@00061a8650943eca-1044153f80798263.journal~ │ ├── user-1000@000622efe6b64d53-331fbf3f39bbff15.journal~ │ ├── user-1000@231baab5abc8457baaafe32fd95d6c38-0000000000000732-000611c899495ddd.journal │ ├── user-1000@231baab5abc8457baaafe32fd95d6c38-0000000000000841-000611c29312f556.journal │ ├── user-1000@231baab5abc8457baaafe32fd95d6c38-000000000001035e-00061451ccf141d1.journal │ ├── user-1000@231baab5abc8457baaafe32fd95d6c38-00000000000370ed-000615611a8b2bb2.journal │ ├── user-1000@47b2ad5cac534027acfa6166dbfabcda-0000000000038c68-0006161ff4981a70.journal │ ├── user-1000@76315055eb6345e4bf73d9e9bd025cd3-000000000003a5ba-0006169bee36859f.journal │ ├── user-1000@793874696f3649ba9806f56cfb72ad1c-00000000000484e5-00061a8650eb7179.journal │ ├── user-1000@793874696f3649ba9806f56cfb72ad1c-0000000000051fba-00061ead2f0a82b5.journal │ ├── user-1000@793874696f3649ba9806f56cfb72ad1c-0000000000053f87-00061fb76b77ffa8.journal │ └── user-1000.journal -
kern.log
-
landscape
- sysinfo.log
-
lastlog
-
mail.err
-
mail.log
-
syslog
-
ubuntu-advantage.log
-
unattended-upgrades
├── unattended-upgrades │ ├── unattended-upgrades-dpkg.log │ ├── unattended-upgrades-dpkg.log.1.gz │ ├── unattended-upgrades-dpkg.log.2.gz │ ├── unattended-upgrades-dpkg.log.3.gz │ ├── unattended-upgrades-dpkg.log.4.gz │ ├── unattended-upgrades-dpkg.log.5.gz │ ├── unattended-upgrades-dpkg.log.6.gz │ ├── unattended-upgrades.log │ ├── unattended-upgrades.log.1.gz │ ├── unattended-upgrades.log.2.gz │ ├── unattended-upgrades.log.3.gz │ ├── unattended-upgrades.log.4.gz │ ├── unattended-upgrades.log.5.gz │ ├── unattended-upgrades.log.6.gz │ ├── unattended-upgrades-shutdown.log │ ├── unattended-upgrades-shutdown.log.1.gz │ ├── unattended-upgrades-shutdown.log.2.gz │ └── unattended-upgrades-shutdown.log.3.gz -
wtmp
Define what log should be stored and monitored
- System log
- Purpose: This log records general system activity and can provide insights into system errors, warnings, and notifications. It’s essential for system health monitoring.
- Location: /var/log/syslog
- Authentication Log
- Purpose: Logs all authentication attempts, including user logins, SSH access, and sudo usage. It's crucial for monitoring unauthorized access attempts.
- Location: /var/log/auth.log
- Kernel Log
- Purpose: This log contains messages from the Linux kernel. It's useful for debugging hardware issues, kernel panic, and driver issues.
- Location: /var/log/kern.log
- Boot Log
- Purpose: Logs messages related to the system boot process. It can help in diagnosing boot issues and understanding the services that start or fail during the boot process.
- Location: /var/log/boot.log
- Fail2ban Log
- Purpose: Fail2ban monitors and bans suspicious IPs that may attempt brute-force attacks. It logs details about those IPs and any bans or unbans.
- Location: /var/log/fail2ban.log
- Dmesg Log
- Purpose: Contains diagnostic messages from the kernel, often hardware-related. This is a live log that doesn't persist after a reboot.
- Journalctl (Systemd Logs)
- Purpose: Modern Linux distributions using systemd log everything to the journal, which centralizes system, service, and application logs.