this article might be largely incomplete…

kernel ringbuffer boot messages

messages from the kernel during first stages of boot.

[cc lang=”bash” escaped=”true” width=”600″]

# all distros
dmesg; # show kernel ring buffer boot messages log

# Centos7 only (debian8 has the file but it is empty)
less /var/log/dmesg

# debian8 is using this file insted:
less /var/log/kern.log

# suse12 / Centos7 is NOT the ringbuffer
less /var/log/boot.log

[ OK ] Started udev Kernel Device Manager.
[ OK ] Found device Virtual_Disk 3.
Starting File System Check on /dev/disk/by-uuid/986b9f95-b3a1-441e-92a4-98b7a500166b…
[ OK ] Found device Virtual_Disk 2.
Mounting /srv…
Mounting /tmp…
Mounting /var/crash…
Mounting /.snapshots…
Mounting /boot/grub2/x86_64-efi…
Mounting /var/cache…
Mounting /var/tmp…
Mounting /var/log…

[/cc]

manpages: mostly the same – but still a little different 😀 (if you have strange artifacts in Firefox go View -> Text-Encoding -> Unicode)

dmesg.man.centos7.txt

dmesg.man.debian8.txt

dmesg.man.suse12.txt

example files:

dmesg.centos7.txt

dmesg.suse12.txt

dmesg.debian.txt

general

list log files – so the last most recently changed files are at the bottom

[cc lang=”bash” escaped=”true” width=”600″]
ls -rtlh –color=auto /var/log/
[/cc]

the general output log for all 3 distros is:

[cc lang=”bash” escaped=”true” width=”600″]
less /var/log/messages; # Shift+G goes to END of file
[/cc]

example files:

messages.centos7.txt

messages.debian8.txt

messages.suse12.txt

logging logins

there is a binary file on all 3 distros /var/log/lastlog

that can be viewed with

[cc lang=”bash” escaped=”true” width=”600″]
last
user pts/0 172.20.0.7 Tue May 16 12:20 still logged in
user console :0 Tue May 16 12:16 still logged in
user :0 :0 Tue May 16 12:16 still logged in
reboot system boot 4.4.21-69-defaul Tue May 16 14:15 – 15:25 (01:09)
root tty1 Tue May 16 11:10 – 11:10 (00:00)
user pts/0 172.20.0.7 Tue May 16 10:09 – 11:10 (01:00)

[/cc]

there are additional log files:

[cc lang=”bash” escaped=”true” width=”600″]
# CentOS7
[root@centos ~]# tail -f /var/log/secure
May 16 12:31:46 centos groupadd[2407]: new group: name=vnstat, GID=994
May 16 12:31:46 centos useradd[2412]: new user: name=vnstat, UID=996, GID=994, home=/var/lib/vnstat, shell=/sbin/nologin
May 16 15:20:29 centos sshd[2613]: reverse mapping checking getaddrinfo for pc0032.domainname.local [172.20.0.7] failed – POSSIBLE BREAK-IN ATTEMPT!
May 16 15:20:29 centos sshd[2613]: Accepted password for user from 172.20.0.7 port 51737 ssh2
May 16 15:20:29 centos sshd[2613]: pam_unix(sshd:session): session opened for user user by (uid=0)
May 16 15:20:33 centos sshd[2613]: pam_unix(sshd:session): session closed for user user
May 16 15:21:17 centos sshd[2634]: reverse mapping checking getaddrinfo for pc0032.domainname.local [172.20.0.7] failed – POSSIBLE BREAK-IN ATTEMPT!
May 16 15:21:17 centos sshd[2634]: Accepted password for user from 172.20.0.7 port 51744 ssh2
May 16 15:21:17 centos sshd[2634]: pam_unix(sshd:session): session opened for user user by (uid=0)
May 16 15:21:18 centos sshd[2634]: pam_unix(sshd:session): session closed for user user

# Debian8
root@debian:~# tail -f /var/log/auth.log
May 16 15:08:51 debian su[3292]: + /dev/pts/0 user:root
May 16 15:08:51 debian su[3292]: pam_unix(su:session): session opened for user root by user(uid=1000)
May 16 15:17:01 debian CRON[3311]: pam_unix(cron:session): session opened for user root by (uid=0)
May 16 15:17:01 debian CRON[3311]: pam_unix(cron:session): session closed for user root
May 16 15:22:38 debian sshd[3346]: reverse mapping checking getaddrinfo for pc0032.domainname.local [172.20.0.7] failed – POSSIBLE BREAK-IN ATTEMPT!
May 16 15:22:38 debian sshd[3346]: Accepted password for user from 172.20.0.7 port 51763 ssh2
May 16 15:22:38 debian sshd[3346]: pam_unix(sshd:session): session opened for user user by (uid=0)
May 16 15:22:38 debian systemd-logind[620]: New session 17 of user user.
May 16 15:22:40 debian sshd[3346]: pam_unix(sshd:session): session closed for user user
May 16 15:22:40 debian systemd-logind[620]: Removed session 17.

[/cc]

logrotate:

the process of checking on log files and moving them into separate files – if they become bigger than the set file-size limit.

config files:

[cc lang=”bash” escaped=”true” width=”600″]
# Debian8
less /etc/logrotate.conf

# Suse12 / Centos7
less /etc/logrotate.d/syslog
[/cc]

you can view the old compressed log files with vim (automatically decompresses it)

[cc lang=”bash” escaped=”true” width=”600″]
suse:~ # ll /var/log/*.xz
-rw-r—– 1 root root 358920 5. Mai 10:00 /var/log/messages-20170505.xz
-rw-r—– 1 root root 255304 11. Mai 10:15 /var/log/messages-20170511.xz

vim /var/log/messages-20170511.xz; # view compressed old log
[/cc]

example files:

syslog.suse12.txt

syslog.centos7.txt

logrotate.conf.debian.txt

manpages:

logrotate.man.debian8.txt

logrotate.man.suse12.txt

off topic:

it seems the time-service of suse12 is adjusting it’s time every 5 seconds… i wonder if that is really necessary 😀

2017-05-11T12:32:33.431742+02:00 suse systemd[1745]: Time has been changed
2017-05-11T12:32:38.432311+02:00 suse systemd[1745]: Time has been changed
2017-05-11T12:32:38.432541+02:00 suse systemd[1]: Time has been changed
2017-05-11T12:32:43.438919+02:00 suse systemd[1]: Time has been changed
2017-05-11T12:32:43.439282+02:00 suse systemd[1745]: Time has been changed
2017-05-11T12:32:48.438992+02:00 suse systemd[1745]: Time has been changed

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin