this article might be largely incomplete…

kernel ringbuffer boot messages

messages from the kernel during first stages of boot.

# all distros
dmesg; # show kernel ring buffer boot messages log

# Centos7 only (debian8 has the file but it is empty)
less /var/log/dmesg

# debian8 is using this file insted:
less /var/log/kern.log

# suse12 / Centos7 is NOT the ringbuffer
less /var/log/boot.log

[  OK  ] Started udev Kernel Device Manager.
[  OK  ] Found device Virtual_Disk 3.
         Starting File System Check on /dev/disk/by-uuid/986b9f95-b3a1-441e-92a4-98b7a500166b...
[  OK  ] Found device Virtual_Disk 2.
         Mounting /srv...
         Mounting /tmp...
         Mounting /var/crash...
         Mounting /.snapshots...
         Mounting /boot/grub2/x86_64-efi...
         Mounting /var/cache...
         Mounting /var/tmp...
         Mounting /var/log...
...

manpages: mostly the same – but still a little different 😀 (if you have strange artifacts in Firefox go View -> Text-Encoding -> Unicode)

dmesg.man.centos7.txt

dmesg.man.debian8.txt

dmesg.man.suse12.txt

example files:

dmesg.centos7.txt

dmesg.suse12.txt

dmesg.debian.txt

general

list log files – so the last most recently changed files are at the bottom

ls -rtlh --color=auto /var/log/

the general output log for all 3 distros is:

less /var/log/messages; # Shift+G goes to END of file

example files:

messages.centos7.txt

messages.debian8.txt

messages.suse12.txt

logging logins

there is a binary file on all 3 distros /var/log/lastlog

that can be viewed with

last
user     pts/0        172.20.0.7       Tue May 16 12:20   still logged in
user     console      :0               Tue May 16 12:16   still logged in
user     :0           :0               Tue May 16 12:16   still logged in
reboot   system boot  4.4.21-69-defaul Tue May 16 14:15 - 15:25  (01:09)
root     tty1                          Tue May 16 11:10 - 11:10  (00:00)
user     pts/0        172.20.0.7       Tue May 16 10:09 - 11:10  (01:00)
...

there are additional log files:

# CentOS7
[root@centos ~]# tail -f /var/log/secure
May 16 12:31:46 centos groupadd[2407]: new group: name=vnstat, GID=994
May 16 12:31:46 centos useradd[2412]: new user: name=vnstat, UID=996, GID=994, home=/var/lib/vnstat, shell=/sbin/nologin
May 16 15:20:29 centos sshd[2613]: reverse mapping checking getaddrinfo for pc0032.com-ulm.local [172.20.0.7] failed - POSSIBLE BREAK-IN ATTEMPT!
May 16 15:20:29 centos sshd[2613]: Accepted password for user from 172.20.0.7 port 51737 ssh2
May 16 15:20:29 centos sshd[2613]: pam_unix(sshd:session): session opened for user user by (uid=0)
May 16 15:20:33 centos sshd[2613]: pam_unix(sshd:session): session closed for user user
May 16 15:21:17 centos sshd[2634]: reverse mapping checking getaddrinfo for pc0032.com-ulm.local [172.20.0.7] failed - POSSIBLE BREAK-IN ATTEMPT!
May 16 15:21:17 centos sshd[2634]: Accepted password for user from 172.20.0.7 port 51744 ssh2
May 16 15:21:17 centos sshd[2634]: pam_unix(sshd:session): session opened for user user by (uid=0)
May 16 15:21:18 centos sshd[2634]: pam_unix(sshd:session): session closed for user user

# Debian8
root@debian:~# tail -f /var/log/auth.log
May 16 15:08:51 debian su[3292]: + /dev/pts/0 user:root
May 16 15:08:51 debian su[3292]: pam_unix(su:session): session opened for user root by user(uid=1000)
May 16 15:17:01 debian CRON[3311]: pam_unix(cron:session): session opened for user root by (uid=0)
May 16 15:17:01 debian CRON[3311]: pam_unix(cron:session): session closed for user root
May 16 15:22:38 debian sshd[3346]: reverse mapping checking getaddrinfo for pc0032.com-ulm.local [172.20.0.7] failed - POSSIBLE BREAK-IN ATTEMPT!
May 16 15:22:38 debian sshd[3346]: Accepted password for user from 172.20.0.7 port 51763 ssh2
May 16 15:22:38 debian sshd[3346]: pam_unix(sshd:session): session opened for user user by (uid=0)
May 16 15:22:38 debian systemd-logind[620]: New session 17 of user user.
May 16 15:22:40 debian sshd[3346]: pam_unix(sshd:session): session closed for user user
May 16 15:22:40 debian systemd-logind[620]: Removed session 17.

logrotate:

the process of checking on log files and moving them into separate files – if they become bigger than the set file-size limit.

config files:

# Debian8
less /etc/logrotate.conf

# Suse12 / Centos7
less /etc/logrotate.d/syslog

you can view the old compressed log files with vim (automatically decompresses it)

suse:~ # ll /var/log/*.xz
-rw-r----- 1 root root 358920  5. Mai 10:00 /var/log/messages-20170505.xz
-rw-r----- 1 root root 255304 11. Mai 10:15 /var/log/messages-20170511.xz

vim /var/log/messages-20170511.xz; # view compressed old log

example files:

syslog.suse12.txt

syslog.centos7.txt

logrotate.conf.debian.txt

manpages:

logrotate.man.debian8.txt

logrotate.man.suse12.txt

off topic:

it seems the time-service of suse12 is adjusting it’s time every 5 seconds… i wonder if that is really necessary 😀

2017-05-11T12:32:33.431742+02:00 suse systemd[1745]: Time has been changed
2017-05-11T12:32:38.432311+02:00 suse systemd[1745]: Time has been changed
2017-05-11T12:32:38.432541+02:00 suse systemd[1]: Time has been changed
2017-05-11T12:32:43.438919+02:00 suse systemd[1]: Time has been changed
2017-05-11T12:32:43.439282+02:00 suse systemd[1745]: Time has been changed
2017-05-11T12:32:48.438992+02:00 suse systemd[1745]: Time has been changed
admin