Manage Linux Log Files

We were looking at log files in our various servers, with the idea that we could delete them to reclaim some disk space, but if they are properly set up with the logrotate command, they will be kept to a manageable size automatically. 

Log files live in /var/logs. There may be subdirectories within /var/logs for specific applications such as mySQL. 
Log files generally are managed through the logrotate command.  This is the program which deletes old logs, and stores and renames older versions of logs based on specifications that you put in to the logrotate.conf file.  The logrotate.conf file is typically located in /etc. It can contain defaults for all logs, and specifics for particular log files.  BUT….. 
Ugh.  Although the default specs for logs is the logrotate.conf file, some programs store their parameters elsewhere.  These include programs like apache, linuxconf, samba, cron, and syslog. 
The include parameters will read the contents of these other log parameter files, and include them in the logrotate.conf.  
(Note…these are the log configuration files,  not the log files themselves, which still appear in /var/log 
cat /etc/logrotate.d/httpd
/var/log/httpd/*log {
        /sbin/service httpd reload > /dev/null 2>/dev/null || true
The upshot is that most log files in /var/log will either be the current active log file for an application, or an archived version.  If the archives are compressed, then the suffix for the file will be .gz  

Reading the logs for user log-ins.  

Log files for logins, which contain the user name, time of access, and from where, are contained in two log files,  wtmp, and btmp.  On some systems there is also a utmp file. 
These are binary files, so that when accessed using cat, they will show gibberish. 
However, the last command will format them correctly.  
lastb shows the failed login attempts  (from wtmp)  – BSD
last shows successful login attempts.  (from btmp)  – BSD 
lastlog on Red Hat machines will also read the logins file. According to Wiki, this is “similar to last and lastb”, but last parses a different database (wtmp and btmp). 
tail -n30  shows the last 30 lines of a log file. 
tail  by default shows the last 10 
cat /proc/version  shows the version of linux 
df -h shows the installed hard disk(s) and their useage. 
cat /etc/passwd shows all of the user accounts. 
more, less for paging.  (less allows for paging backwards) 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s