How to Check Server Logs for Security and Software Issues

How to Check Server Logs for Security and Software Issues

What Do I Need?

  • A Dedicated or VPS Linux Server
  • CentOS

What are Log Files?

Log files are the all-important records that Linux stores for administrators to keep track and monitor important events on the webserver, kernel, services, and the applications running on it. Linux provides a centralized repository of log files that can be located under the /var/log directory. All log files generated in a Linux environment can typically be classified into four different categories:

  • application logs,
  • event logs,
  • service logs,
  • system logs.
  1. Monitor Log Files
  1. Monitoring and analyzing log files can be a challenging task. The sheer volume of logs can sometimes make it frustrating to drill down and find the right file that contains the required information.
  1. Messages
cat /var/log/messages

How to Check Server Logs for Security and Software Issues

  1. This log file contains generic system activity logs. It’s mainly used to store informational and non-critical system messages.
  2. Using these logs, you can track non-kernel boot errors, application-related service errors, and the messages that are logged during system startup. It’s the first log file any Linux administrator should check if something goes wrong.
  1. Auth.log
cat /var/log/auth.log

How to Check Server Logs for Security and Software Issues

  1. All authentication-related events in Debian and Ubuntu servers are logged here. If you’re looking for anything involving the user authorization mechanism, you’ll find it here.
  2. If you suspect there’s been a security breach of your server, this is where you may find indicators. If you notice a suspicious javascript file where it shouldn’t be, this is where you’d see it.
  1. Secure.log
  1. RedHat and CentOS-based systems use this log file instead of /var/log/auth.log. It’s mainly used to track the usage of authorization systems. It stores all security-related messages, including authentication failures and various others. It’s also responsible for tracking sudo logins, ssh logins, and other errors logged by security systems daemons or services.
  2. All user authentication events are logged. This file can provide detailed insights into unauthorized and failed login attempts and can be useful for detecting possible hacking attempts. It also stores useful information about successful logins and tracks the activities of valid users.
  1. Boot.log
cat /var/log/boot.log
  1. The system initialization script, /etc/init.d/bootmisc.sh, sends all bootup messages to this log file. This is the repository of booting related information and messages logged during the system startup process. You should analyze this log file to investigate issues related to improper shutdown, unplanned reboots, or booting failures. You can also determine the duration of system downtime caused by an unexpected shutdown.
  1. Dmesg
cat /var/log/dmesg
  1. This file contains kernel ring buffer messages. Information related to hardware devices and their drivers is logged here. As the kernel detects physical hardware devices associated with the webserver during the booting process, it captures the device status, hardware errors, and other generic messages.
  2. This log file is useful for dedicated server users mostly. If certain hardware is functioning improperly or not getting detected, then you can rely on this log file to troubleshoot the issue.
  1. Kern.log
cat /var/log/kern.log
  1. This is a very important log file as it contains information logged by the kernel; perfect for troubleshooting kernel-related errors and warnings.
  2. Kernel logs can be helpful to troubleshoot a custom-built kernel and can be extremely useful in debugging hardware and connectivity issues.
  1. Faillog
cat /var/log/faillog
  1. This file contains information on failed login attempts. It works best to find out any attempted security breaches involving username/password hacking and brute-force attacks.

Next Steps

I’d recommend looking at the variety of other logs also available. For example, it’s always a good idea to check the following:

  • /var/log/cron
cat /var/log/cron
  • /var/log/yum.log
cat /var/log/yum.log
  • /var/log/maillog or /var/log/mail.log
cat /var/log/mail.log
  • /var/log/httpd/
cat /var/log/httpd/
  • /var/log/mysqld.log or /var/log/mysql.log
cat /var/log/mysqld.log

Conclusion

While monitoring and analyzing all the log files generated by the system can be a difficult task, you can make use of a centralized log monitoring tool to simplify the process. Personally, as opposed to ‘handing off’ inspection and control to outsourced elements, I suggest getting to grips with these log files and monitoring them manually.

How to use SSH to Back Up Your WordPress Website Hosted on a Linux VPS

The default directory path for websites in Linux Servers is usually./var/www/htm
1 min read
Idan Cohen
Idan Cohen
Marketing Expert

How To Transfer Files From a Remote Server to another Remote Server Using SSH

A relatively common situation is requiring the move of a website from one server
4 min read
Eliran Ouzan
Eliran Ouzan
Web Designer & Hosting Expert

How to Set Up a Linux VPN Server from a Windows Client

VPN is important for securely connecting to server’s resource
5 min read
Vladimir Rakov
Vladimir Rakov
Hosting Expert

How to Configure SSL/TLS for Apache Tomcat

This guide will help you configure HTTPS on an Apache Tomcat server.
4 min read
Eliran Ouzan
Eliran Ouzan
Web Designer & Hosting Expert
HostAdvice.com provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.
Click to go to the top of the page
Go To Top