Key Log File Locations
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hey Cybrarians.
00:00
>> Welcome back to the Linux+ course here at Cybrary.
00:00
>> I'm your instructor Rob Goelz.
00:00
>> In today's lesson,
00:00
>> we're going to be covering Key Log File Locations.
00:00
By completion of today's lesson,
00:00
you're going to be able to understand
00:00
the importance of logging,
00:00
we're going to talk about the content
00:00
of some key log files,
00:00
and then later during our demo,
00:00
we're going to locate the log files on disk.
00:00
All Linux distributions have
00:00
some logging method and
00:00
it's very important that we log things.
00:00
Most Linux applications will
00:00
log things in some ways also.
00:00
In logging, in general,
00:00
will just be used to output short messages and
00:00
these are going to cover things like what
00:00
happened and when it occurred.
00:00
Logging does run continuously in the background,
00:00
and so therefore, it can be used to
00:00
find the cause of an issue.
00:00
As a system administrator,
00:00
I will tell you the logs are your best friend
00:00
in trying to determine what happened and
00:00
they are your best friend
00:00
because they tell you what happened
00:00
when you weren't there when you
00:00
couldn't be around to see it.
00:00
Now, in general, the
00:00
majority of logs that you're going to
00:00
deal with will be found in the var log directory.
00:00
The only exception to this are
00:00
custom logs or application-specific logs,
00:00
and those you'll configure in a different location in
00:00
the application configuration itself.
00:00
But in general, most things in
00:00
var log and in this directory there are
00:00
four log files that are
00:00
explicitly called out for
00:00
the purposes of the Linux plus exam.
00:00
Those are var log secure,
00:00
and this is the security log file
00:00
that logs things like connection attempts.
00:00
There's var log messages.
00:00
Well, this is a general purpose catch-all log file
00:00
so you can find a lot of
00:00
good information in there on a regular basis.
00:00
There's also the var log Kern.Log file,
00:00
and this is used by dmessage on
00:00
some distros in its stores
00:00
boot message information in there.
00:00
Then in general you'll also see
00:00
var log insert application here.
00:00
This is for application logs, for example,
00:00
we might see var log HTTPD for
00:00
Engine X or an Apache web server in this case.
00:00
Let's have a look at all of these with some demo time.
00:00
Here we are in our demo environment and as I said,
00:00
everything we're going to look
00:00
at is generally going to be in
00:00
var log so let's change directory into var log,
00:00
and then we can do an dash al on here and
00:00
we can see all source of log types.
00:00
In here we see the logs we
00:00
spoke about another application files.
00:00
For example, we see crony,
00:00
we see cops right for printing,
00:00
we see HTTPD which is
00:00
our Apache web server and we also
00:00
see things like labor and journal and so on and so forth.
00:00
Let's take a look at messages.
00:00
We said messages is a catch-all log file,
00:00
so you can do a cat on
00:00
var log messages and what happened?
00:00
Permission denied, we need suit up.
00:00
We're going to do sudo var log messages
00:00
here and you're going to find that
00:00
in general if you're looking through logs,
00:00
sometimes you're going to run into this
00:00
so it is generally better to
00:00
try and do a sudo and get into a file.
00:00
Now we can type in my sudo password and elevate
00:00
privileges temporarily and we
00:00
can see the contents of the system.
00:00
But we can see there's a lot of messages.
00:00
What we're going to want to do now is probably
00:00
use less to view these.
00:00
It's a parcel we're looking for or we
00:00
could use grep to try and
00:00
find out what we're looking for.
00:00
For example, let's do a grep for warning
00:00
so we could use sudo grep and let's colorize.
00:00
It will do dash, dash color and then I'll do
00:00
a dash I for warning because I
00:00
don't really care what case it is and I want to
00:00
look at that in var log messages.
00:00
Now we see all the occurrences of
00:00
the word of the string warning
00:00
and because I use the dash,
00:00
I flag with grep,
00:00
I can see that some of them are uppercase,
00:00
some of them are lowercase some are all uppercase,
00:00
so on and so forth.
00:00
Just gives us all the warning messages
00:00
in the log colorized.
00:00
We can also ph through security logs with
00:00
less so let's do a sudo less and we
00:00
said that our security log is
00:00
var log secure so let's do that.
00:00
We're going to do var log secure,
00:00
and now we can see all the security messages here.
00:00
We can actually search these inside of less by doing
00:00
the forward-slash and then typing
00:00
the word warning and now we can
00:00
see any occurrences of the word warning.
00:00
We can see that we have a message
00:00
for when I just ran that.
00:00
We can go to the bottom of this log with a capital G,
00:00
or we can go to the top along with a double
00:00
lowercase g. That'll take us all the way to the top.
00:00
To watch in real-time,
00:00
we can break out of this and
00:00
by hitting Q and then what we could do is we
00:00
could do a tail dash F option on var log secure.
00:00
Here let's run this with sudo as
00:00
well because we're going to need to be root to
00:00
do it and now we can see anything that happens,
00:00
anything that comes in will
00:00
display in real-time on this system.
00:00
Not a lot of activity
00:00
because this system basically is just running
00:00
on my computer as
00:00
a virtual machine but if we had like say,
00:00
intrusion attempts, we would see them
00:00
being logged here in var log secure.
00:00
With that, we've reached the end of this lesson.
00:00
In this lesson, we talked on the importance of logging.
00:00
We also covered the content of some key log files,
00:00
the ones that are going to be on the Linux plus exam,
00:00
and then we saw how to locate and
00:00
view log files on disk during our demo.
00:00
Thanks so much for being here and I look
00:00
forward to seeing you in the next lesson.
Up Next
Instructed By
Similar Content
