Essential Linux Log Files Every SRE Should Monitor

In monitoring, the most important metrics are business north‑star and RED metrics; lower‑level machine metrics and logs are also useful for early alerts.

System logs are the foundation of monitoring data. Linux stores logs under

/var/log

. Below is a list of common log files and their purposes.

/var/log/syslog or /var/log/messages

These files capture a wide range of system messages from daemons, processes, and the kernel, providing a comprehensive record of system activity. They are crucial for diagnosing errors, warnings, OOM events, and other stability or performance issues.

/var/log/auth.log or /var/log/secure

Authentication logs record successful and failed login attempts, permission changes, and other auth‑related events. They are essential for detecting unauthorized access. Example:

grep "Failed password" /var/log/auth.log

can be used to find failed logins and set alert rules.

/var/log/kern.log

Contains kernel messages, including hardware events and driver information. Useful for diagnosing hardware or driver problems. You can also view kernel logs with

dmesg -T | grep -i error

and use

error

as an alert keyword.

/var/log/boot.log

Records events during system boot, helping to identify failed services or delays. Use

less /var/log/boot.log

and search for “FAILED” or “ERROR”.

/var/log/dmesg

Shows messages from the kernel ring buffer, valuable for hardware diagnostics and performance monitoring.

/var/log/cron

Logs scheduled task execution, aiding in diagnosing job scheduling and execution issues.

/var/log/maillog or /var/log/mail.log

Captures mail server activity, including delivery and errors. Monitoring helps ensure reliable communication. Example:

tail -f /var/log/maillog

and search for “error” or “failed”.

/var/log/httpd/access.log or /var/log/apache2/access.log

Logs every web request with IP, request type, and response status. Useful for traffic analysis and spotting security threats.

/var/log/httpd/error.log or /var/log/apache2/error.log

Records Apache errors, configuration issues, and application problems, essential for keeping web services running smoothly.

/var/log/nginx/access.log

Similar to Apache access logs, it records NGINX requests. Real‑time monitoring with

tail -f /var/log/nginx/access.log

helps optimize performance and detect attacks. Tools like goaccess provide visual analysis.

/var/log/nginx/error.log

Captures NGINX errors, aiding in diagnosing server and application issues.

/var/log/mysql.log or /var/log/mysql/error.log

Logs MySQL activity and errors, important for database management and troubleshooting.

/var/log/ufw.log

Records UFW firewall events, helping monitor network security and detect unauthorized attempts. Use

tail

to spot repeated rejections from the same IP.

/var/log/audit/audit.log

Audit daemon logs provide detailed records for security audits and compliance, offering a comprehensive view of system changes.

/var/log/daemon.log

Contains messages from system daemons, useful for monitoring background services.

/var/log/btmp

Tracks failed login attempts; view with

lastb

.

/var/log/wtmp

Records login and logout events; view with

last

to audit user activity.