Tuesday, 25 April 2017

Logs to monitor to identify issues in the system for Admin

          An important part of System Administration is make sure that all the infrastructure is always up & working fine and if problems do arise on the servers, then to resolve those problems. We use various logs generated on our systems to identify the problems occurred & then resolve the issues based on the findings from the logs.
In this tutorial, we are going to learn some of the logs that are created on the Linux machines & what they are used for.
/var/log/boot.log
It stores all the boot related messages & is helpful in identifying issues related to booting of the system. So all the issues related to boot failures, unexpected or unplanned shutdown or unplanned reboot of the system can diagnosed using the boot.log.
/var/log/secure (RHEL/CentOS) & /var/log/auth.log (Debian/ubuntu)
Both files i.e. secure for RHEL & auth.log for Debian, serves same purpose. They are used to store all the events related to authentication. So if you are trying to locate an issue that’s related to authorization of the users, these are log files to look out for. Both these files can be used to investigate failed login attempts either directly to server or via ssh, also can be used for checking brute-force attempts & can these files also logs all the successful login attempts.
/var/log/faillog
Logs all the failed attempts for login to the system. This is another important file that can help us track security breaches or brute force attacks.
/var/log /dmesg
If you suspect any issues created by hardware, then this should be the first file that you look for. This log file is useful to diagnose any issue created by a hardware part or a driver for the hardware.
/var/log/messages (RHRL/CentOS) & /var/log/syslog (Ubuntu/Debian)
Both these files for their respective operating systems, contain all the non-critical & informational messages. These files can be used to track non-kernel boot errors or application related issues. This should be the first file to check, in case you are facing any of the above mentioned errors.
/var/log/daemon.log
Contains information related to various background daemons that runs in the background of our system. Though required very less but can help in diagnosing issues created by daemons.
/var/log/kern.log
Kern.log logs all the kernel related messages & contains all the information related to kernel. Helps us troubleshoot the warnings or errors generated by kernel, can also be used to diagnose connectivity & hardware issues.
/var/log/setroubleshoot
If you have SElinux enabled (we should keep it enabled), than this log file helps us track all the issues related to security context of the files.

/var/log/yum.log
Yum.log has all the information related to software installations on your server. You can check it to make sure that the packages are properly installed or not, or if a installed package is behaving in unusual manner then use yum.log to diagnose the issue.
/var/log/mail.log  /var/log/maillog
All the messages related to mail are stored in these files. It contains all the information for mails sent or received, failed & successful delivery reports, spamming attempt etc. So any issue arising out of sending or receiving of mails can be diagnosed with these files.
/var/log/cron.log
This log files lists all the messages created upon execution of scheduled cron job, whether they are successful messages or the error for the cron job.

These were some of the important log files that you must be monitoring to make sure that system is working properly. These are only some of the many log files, there are also individual files related to services like httpd.log or mysqld.log, that are used to diagnose problems related to those services.