Log Files in Linux Explained – Log Types You Must Monitor

Log Files in Linux Explained – Log Types You Must Monitor. In software, it’s essential to monitor logs of system activities. Although monitoring and analysing every log file produced by the system can be challenging; doing so can provide you with a thorough understanding of server performance and its underlying problems. Hence, log files simply let you foresee problems before they arise.

As a developer, it is important to understand Linux logs and which logs are most important to your work. So, in this easy guide, we’ll explain what log files are. In addition we will introduce types, the importance of monitoring them, and the log types you must monitor. 

Let’s start with Log Files in Linux Explained – Log Types You Must Monitor.

What is a Linux Log File?

First of all, Linux keeps a series of records called log files. They allow administrators to keep track of significant events. They include messages regarding the server’s kernel, services, and active applications. So, Linux offers a centralized log file repository to keep track of all the significant events. It is kept in the /var/log directory and its subdirectories in plain text. Linux logs are available for everything. That includes the system, kernel, package managers, boot processes, Xorg, Apache, MySQL, and others.

When you run into problems, Linux logs are a useful tool for debugging. An administrator should always examine log files when a problem occurs. Therefore, log files are written in various places depending on the problems with the desktop application. The developer and whether or not the program supports custom log configuration will determine where a desktop application publishes logs. For instance, Chrome logs crash in the directory “/.chrome/Crash Reports.”

Types of Log Files:

In a typical Linux environment, log files fall into one of five categories: 

Application Logs

These are application log files are recordings of software programs’ actions. You can use them for debugging, diagnosis, and auditing. Moreover, they provide variety of information about a program’s performance, such as disk space warnings, completed operations, issues preventing the application from launching, successful login audit, and login failure audit.

Container Logs

Containerized applications commonly log to “stdout” or “stderr,” which you can usually capture. For example, you can set up a logging driver to deliver logged “stdout” or “stderr” messages to a remote destination to capture Docker container logs. Importantly, container logs can consist entirely of plain text or entirely of JSON files.

Event Logs

Next are event logs. Those are files, that includes information about how to use and operate operating systems, applications, or devices. This data can be accessed by security professionals or automated security systems such as SIEMs. This is in order to monitor security and performance and troubleshoot IT issues.

The modern corporation has a vast array of endpoint devices, applications, and services. This makes it impossible to oversee security and IT operations solely through network monitoring. The relevance of event logs, particularly endpoint logs, cannot be overstated. It is a high level log that records network traffic and usages, such as login attempts, failed password attempts, and application events. 

Security Logs

Many devices keep security log information that lets you see the types of network traffic permitted or disallowed on your network. For instance, audit logs and access controls can be used to find suspect users abusing their access rights. Additionally, you can also use them to stop a future brute force attempt.

An additional example would be authentication log files that record user attempts to access a network resource. This aids in troubleshooting access problems and modifying authentication regulations. For auditing purposes, it also logs high level security occurrences. Therefore, security logs are frequently a subset of system logs; that record specific events related to the safety and security of your IT infrastructure.

System Logs

System log files—also known as “server logs“—contain extensive information records about the operating system, file system, open programs and login credentials. They make it possible for system managers to ascertain whether system processes are loading properly or whether there are any issues, such as system faults, warnings, starting messages, system updates, unexpected shutdowns, etc.

Up next with Log Files in Linux Explained – is to know, which Log Types You Must Monitor.

Why are Log Files Important to Monitor?

Logging plays an important role in the system, and log monitoring is integral to any server administrator’s responsibility. We can gain a detailed insight into server performance, security, error messages, and underlying issues. Hence, log files simply let you foresee problems before they arise. You should monitor logs for the following reasons: 

Reasons to Monitor your Logs

  • You can reduce downtime, lower the risk of data loss, and access important information like the need for updates or potential performance improvement areas by keeping an eye on log files. For instance, log timestamps allow us to determine the interval between events. Some logs, like database query logs, offer latency data that you can utilize to identify time wasting activities.
  • You can use log information to debug errors and figure out what went wrong. For instance, you can look through the log files to determine why a service crashed. Or if it faced an unhandled exception, ran out of memory, or if there was another reason. Additionally, organizations use log monitoring to enhance network observability. They also use it to prevent or fix operating system issues, and provide transparency and insight into the computer environment.
  • Before the system administrator can process the log data, it is frequently sent to a secure server that acts as a centralized logging point. However, all logs combined in a datastore by log aggregation are frequently insufficient. For instance, log management software is useful when creating visualizations, such as a globe map with the nations your website targets. This is because it makes it simple to gather, parse, and examine log files.
  • Monitoring log files and user behaviour can help businesses better understand how people engage with their products (applications). This aids developers in better comprehending user requirements and customizing the application to suit them.

Log Types You Must Monitor

/var/log/syslog or /var/log/messages

This log file holds general system activity logs for systems running on the Debian operating system. Generally, messages and system related data are primarily stored there. This log essentially keeps track of all system wide activity information.

The Linux system administrators must first inspect this log file if something goes wrong. This is where we can monitor start up related notifications, application related service problems, and faults unrelated to the kernel boot process. For instance, if the sound card gives us some trouble.

You can examine this log file to see if anything went wrong during system initialization. Keep in mind that Syslog stores activity for Ubuntu and other Debian based systems. Whereas messages stores activity for Redhat based systems like CentOS or Rhel.

/var/log/auth.log or /var/log/secure

It keeps track of all logins and authentication attempts, both successful and unsuccessful. If you’re searching for anything related to the user authorization process, you can locate it in this log file. Find this log file immediately if you think your server may have experienced a security breach or if you see a suspicious javascript file somewhere it shouldn’t be.

Additionally, this log file can look at unsuccessful login attempts, brute force  attempts and other user authorization system weaknesses. In Debian and Ubuntu, all authentication related events in the server are logged here. With Debian/Ubuntu information stay in “/var/log/auth.log”, while Redhat and CentOS stay in “/var/log/secure”. 

/var/log/mysqld.log or /var/log/mysql.log

This is the MySQL log file, as the name implies. This file contains a log of all debug, error, and success messages for the [mysqld] and [mysqld safe] daemons. Fedora, RedHat, CentOS. And also other RedHat based systems use /var/log/mysqld.log, while Debian/Ubuntu use the /var/log/mysql.log directory.

In nutshell, this log can identify problems while starting, running, or stopping MySQL. Also, it obtains information regarding client connections to the MySQL data directory and configure the “long query time” parameter to record details regarding query locks and long running queries.


This is a directory containing the log files in which Apache server logging information is stored — error_log and access_log. So, the error_log contains all errors encountered by httpd. These errors include memory issues and other system related errors. At the same time, the access_log contains a record of all requests received over HTTP.

This is the place where the Apache server writes events and error records encountered while processing httpd requests. Check this log for diagnostic information if something goes wrong with the Apache web server. Also, it helps you keep track of every page served and every file loaded by Apache.

Additionally, it logs the IP address and user ID of all clients that make connection requests to the server. It also stores information about the status of the access requests, whether the request was successful or unsuccessful, and whether a response was provided.

/var/log/maillog or var/log/mail.log

You will find all mail server related logs here. It is useful when you need information about postfix, smtpd, MailScanner, SpamAssassin, or any email related services running on your server. Track all emails sent or received during a particular period and investigate failed mail delivery issues using this log file. By carefully examining this log file — you can also learn about potential spamming efforts that the mail server may have prevented and discover where an incoming email came from.


All relevant data from the yum command’s package installation process is kept in this log, which can be used to check whether a package and all of its components were installed properly. With the help of this log file, you can keep track of the software and system components installed, and you can review the messages logged to determine if a package was correctly installed or not. You may fix problems with program installations with it as well.

Let’s say that your server is acting strangely, and you believe that a recently installed software program is to blame. In such circumstances, you can look through this log file to discover the most recent packages installed and locate the problematic program.


Next log file, contains data logged by the kernel and it is very significant. Primarily useful for debugging modified kernels and warning information. It can also be useful for troubleshooting hardware and network problems.


The messages from the kernel ring buffer are in this log file. Here, you will find details about hardware components and their drivers. The kernel records the device status, hardware failures, and other generic notifications when it locates the physical hardware devices connected to the server during boot-up. People who use dedicated servers will generally find this log file relevant. You can use this log file to troubleshoot if a piece of hardware is malfunctioning or undetected.

Thank you for reading Log Files in Linux Explained – Log Types You Must Monitor.

Log Files in Linux Explained - Log Types You Must Monitor Conclusion

It can be challenging to track and analyse every log file the system produces. To get the most out of your server logs, you have learned how crucial log file management is from this guide. Managing your server logs with open source software is far easier than manually monitoring Linux logs.

Therefore, if you want to manage servers genuinely and proactively, investing in a centralized log gathering and analysis platform might be wise. You would be able to set up alerts that tell you when potential hazards are present and be able to view log data in real time.

Avatar for Kamso Oguejiofor
Kamso Oguejiofor

Kamso is a mechanical engineer and writer with a strong interest in anything related to technology. He has over 2 years of experience writing on topics like cyber security, network security, and information security. When he’s not studying or writing, he likes to play basketball, work out, and binge watch anime and drama series.

5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x