How to access and configure System Logs on Ubuntu and Debian Systems

Introduction

System administrators working with Ubuntu and Debian often need to consult log files to troubleshoot issues. This is a fundamental step in diagnosing and resolving problems on these operating systems.

Linux-based systems, including Ubuntu and Debian, generate a variety of messages that are recorded in log files. These log messages are crucial for understanding the system’s behavior and identifying issues. Linux relies on a combination of configuration files, directories, programs, commands, and daemons to manage and organize these log messages. Familiarity with the locations of log files and the associated commands can significantly expedite the troubleshooting process.

In this guide, we will explore the key aspects of the Linux logging system in the context of Ubuntu and Debian.

Step 1 – Identifying Default Log File Locations

By default, log files on Ubuntu and Debian are stored in the /var/log directory. You can view the list of log files in this directory using the following command:

$ ls -l /var/log

When executed on your system, the output will resemble the following:

total 49316
drwxr-xr-x. 2 root   root          6 Sep 27 19:17 anaconda
drwx------. 2 root   root         99 Jan  3 08:23 audit
-rw-rw----. 1 root   utmp    1234560 Jan  3 16:16 btmp
-rw-rw----. 1 root   utmp   17305344 Jan  1 00:00 btmp-20230101
drwxr-x---. 2 chrony chrony        6 Aug 10  2021 chrony
-rw-r--r--. 1 root   root     130466 Dec  8 22:12 cloud-init.log
-rw-r-----. 1 root   adm       10306 Dec  8 22:12 cloud-init-output.log
-rw-------. 1 root   root      36979 Jan  3 16:03 cron
-rw-------. 1 root   root      27360 Dec 10 23:15 cron-20221211
-rw-------. 1 root   root      94140 Dec 17 23:07 cron-20221218
-rw-------. 1 root   root      95126 Dec 24 23:14 cron-20221225
-rw-------. 1 root   root      95309 Dec 31 23:04 cron-20230101
…

Step 2 – Viewing Log Contents

Under /var/log, you’ll encounter various log files with specific purposes. Some common examples include:

• wtmp
• utmp
• dmesg
• messages
• maillog or mail.log
• spooler
• auth.log or secure

wtmp and utmp files track user logins and logouts. To see the currently logged-in users on a Linux server, use the who command. On Ubuntu, the output could look like this:

root@ubuntu-22:~# who
root     pts/0        2023-01-03 16:23 (198.7.211.4)

To retrieve login history, the last command is useful:

root@ubuntu-22:~# last
root     pts/0        198.7.211.4  Tue Jan  3 16:23   still logged in
reboot   system boot  5.19.0-23-generi Thu Dec  8 21:48   still running
wtmp begins Thu Dec  8 21:48:51 2022

For determining the last reboot time, use:

$ last reboot

In Debian, the output might appear as follows:

root@debian-11-trim:~# last reboot
reboot   system boot  5.10.0-11-amd64  Thu Dec  8 21:49   still running
wtmp begins Thu Dec  8 21:49:39 2022

The lastlog command can reveal the last login times for users:

$ lastlog

Output on a Debian system might resemble:

root@debian-11-trim:~# lastlog
Username         Port     From             Latest
root             pts/0    162.243.188.66   Tue Jan  3 16:23:03 +0000 2023
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
sync                                       **Never logged in**
games                                      **Never logged in**
man                                        **Never logged in**
lp                                         **Never logged in**
mail                                       **Never logged in**
news                                       **Never logged in**
uucp                                       **Never logged in**
proxy                                      **Never logged in**
www-data                                   **Never logged in**
backup                                     **Never logged in**
list                                       **Never logged in**
irc                                        **Never logged in**
gnats                                      **Never logged in**
nobody                                     **Never logged in**
_apt                                       **Never logged in**
messagebus                                 **Never logged in**
uuidd                                      **Never logged in**
…

To access the contents of text-based log files, commands like cat, head, or tail can be employed. For example, to view the last ten lines of the /var/log/messages file on a Debian server:

$ sudo tail /var/log/messages

Expected output:

root@debian-11-trim:~# tail /var/log/messages
Jan  1 00:10:14 debian-11-trim rsyslogd: [origin software="rsyslogd" swVersion="8.2102.0" x-pid="30025" x-info="https://www.rsyslog.com"] rsyslogd was HUPed
Jan  3 16:23:01 debian-11-trim DropletAgent[808]: INFO:2023/01/03 16:23:01 ssh_watcher.go:65: [SSH Watcher] Port knocking detected.
Jan  3 16:23:01 debian-11-trim DropletAgent[808]: INFO:2023/01/03 16:23:01 do_managed_keys_actioner.go:43: [DO-Managed Keys Actioner] Metadata contains 1 ssh keys and 1 dotty keys
Jan  3 16:23:01 debian-11-trim DropletAgent[808]: INFO:2023/01/03 16:23:01 do_managed_keys_actioner.go:49: [DO-Managed Keys Actioner] Attempting to update 1 dotty keys
Jan  3 16:23:01 debian-11-trim DropletAgent[808]: INFO:2023/01/03 16:23:01 do_managed_keys_actioner.go:65: [DO-Managed Keys Actioner] Attempting to create 1 ssh keys
Jan  3 16:23:01 debian-11-trim DropletAgent[808]: INFO:2023/01/03 16:23:01 do_managed_keys_actioner.go:105: [DO-Managed Keys Actioner] Action metadata updated
Jan  3 16:23:02 debian-11-trim kernel: [   22.685314] Bluetooth: RFCOMM TTY layer initialized
Jan  3 16:23:02 debian-11-trim kernel: [   22.685320] Bluetooth: RFCOMM socket layer initialized
Jan  3 16:23:02 debian-11-trim kernel: [   22.685321] Bluetooth: RFCOMM ver 1.11
Jan  3 16:23:03 debian-11-trim login[956]: ROOT LOGIN  on '/dev/pts/0'

For logs that update in real-time, the tail -f command can be used to “follow” the log and display new entries as they are added:

$ sudo tail -f /var/log/syslog

To view the beginning of a log file, use head:

$ sudo head /var/log/syslog

Step 3 – Using Logrotate for Log Management

The logrotate utility automates the management of log files. It can archive old log files, compress logs, and clean up log directories to prevent excessive disk usage.

To configure logrotate, edit the /etc/logrotate.conf file using a text editor (such as nano or vim). The logrotate configuration file is well-commented and provides clear guidelines on how to set up rotation rules for log files.

Here’s an example of what the configuration file might look like:

# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
# compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
    missingok
    monthly
    create 0664 root utmp
    minsize 1M
    rotate 1
}
/var/log/btmp {
    missingok
    monthly
    create 0660 root utmp
    rotate 1
}
# system-specific logs may be also be configured here

In this example, log files are rotated weekly, kept for a total of 4 weeks, and new log files are created after rotation. Additionally, log files are compressed after rotation.

To add or edit specific log rotation rules, you can create or edit files in the /etc/logrotate.d directory. For instance, a file named /etc/logrotate.d/nginx would contain rules specifically for rotating the Nginx web server logs.

Step 4 – Using the rsyslog Daemon

The rsyslog daemon is a powerful and flexible system logging service available on Ubuntu and Debian systems. It replaces the older syslog system and provides advanced features for handling log messages. rsyslog allows you to filter, route, and store log messages in various formats and destinations.

Installation and Basic Configuration

1. Installation:

Check if rsyslog is already installed on your system by running:

$ sudo dpkg -l | grep rsyslog

If it’s not installed, you can install it using the following command:

$ sudo apt-get update
$ sudo apt-get install rsyslog

2. Configuration Files:

rsyslog‘s main configuration file is located at /etc/rsyslog.conf. However, it’s recommended to make configuration changes in separate files in the /etc/rsyslog.d/ directory to keep things organized and avoid directly modifying the main file.

Understanding Configuration Lines

The rsyslog.conf file consists of a series of configuration lines, each comprising a two-part instruction: a selector and an action. These parts are separated by white space.

1. Selector: The selector part determines the source and importance of the log message. It is divided into two components by a dot (.):
   • Facility: Denotes the origin of the message, such as auth, kern, mail, user, etc.
   • Priority: Represents the severity level of the message, ranging from debug (lowest) to emerg (highest).
2. Action: The action part specifies what rsyslog should do with log messages that match the provided selector. This can involve writing messages to specific log files, forwarding them to remote servers, and more.

Example Configuration Line

Here’s an example of a configuration line that logs kernel messages (kern) of priority err (error) level:

kern.err        /var/log/kernel_errors.log

In this example:

• kern.err is the selector, indicating that it’s for kernel messages of error priority.
• /var/log/kernel_errors.log is the action, specifying that matching log messages should be saved to the kernel_errors.log file.

Viewing Configuration Files

On Ubuntu systems, the default configuration file is often found at /etc/rsyslog.d/50-default.conf. You can use the following command to view its contents:

$ cat /etc/rsyslog.d/50-default.conf

Facilities and Priorities

Different facilities represent various sources of log messages, such as auth, kern, mail, and more. Each message is assigned a priority indicating its severity level, ranging from debug (lowest) to emerg (highest).

Here are a few facilities and priorities recognized by rsyslog:

Facilities:

• auth or authpriv: Authorization and security-related events
• user: Log messages coming from user programs
• mail: Log messages generated by the mail subsystem
• local0 to local7: Reserved for local use
• kern: Messages originating from the Linux kernel

Priorities:

• debug: Debug information from programs
• info: Simple informational messages
• notice: Conditions that may require attention
• warn: Warnings
• err: Errors
• crit: Critical conditions
• alert: Conditions that need immediate intervention
• emerg: Emergency conditions

Understanding these facilities and priorities is essential for configuring rsyslog effectively.

3. Basic Logging: By default, rsyslog logs messages to the /var/log/syslog file. You can view the contents of this file using cat or other commands as mentioned earlier.

Advanced Configuration and Filtering

1. Filtering with Templates:

rsyslog allows you to filter and process log messages based on various attributes like facility, severity, or program name. You can create custom templates to format log messages. For instance, to forward specific logs to a remote server:

1. Create a custom configuration file in /etc/rsyslog.d/, like /etc/rsyslog.d/50-remote.conf.
2. Add the following lines to forward messages from the auth facility to a remote server with IP 1.2.3.4:

if $programname == 'sshd' and $syslogfacility-text == 'auth' then @@1.2.3.4:514

2. Creating Custom Log Files:

You can create custom log files for specific applications or services. For example, to create a log file for a service named myapp:

1. Create a custom configuration file in /etc/rsyslog.d/, like /etc/rsyslog.d/60-myapp.conf.
2. Add the following lines to create a log file at /var/log/myapp.log for messages from the myapp program:

if $programname == 'myapp' then /var/log/myapp.log

Applying Changes and Restarting rsyslog

After making changes to rsyslog configuration files, you need to restart the rsyslog service to apply them:

$ sudo service rsyslog restart

Debugging and Troubleshooting

If you encounter issues with logging or configuration, you can check the /var/log/syslog file for rsyslog related messages. Additionally, rsyslog itself logs its actions, so you can use the following command to view these logs:

$ sudo journalctl -u rsyslog

This will show you rsyslog‘s logs, which can be helpful for diagnosing any problems related to the logging service itself.

Conclusion

Accessing and configuring system logs is an essential skill for Linux system administrators. Ubuntu and Debian provide a robust set of tools and commands for managing log files, which are crucial for diagnosing issues and monitoring system behavior.

By understanding default log file locations, utilizing log viewing commands like cat, tail, and head, and configuring log rotation with logrotate, administrators can effectively manage and maintain log files on their systems. This ensures that important log data is preserved while preventing the accumulation of excessive disk usage.