Managing log files on Linux systems can be incredibly easy or painful. It all depends on what you mean by log management.\nIf all you mean is how you can go about ensuring that your log files don\u2019t eat up all the disk space on your Linux server, the issue is generally quite straightforward. Log files on Linux systems will automatically roll over, and the system will only maintain a fixed number of the rolled-over logs. Even so, glancing over what can easily be a group of 100 files can be overwhelming. In this post, we'll take a look at how the log rotation works and some of the most relevant log files.\n\nAutomatic log rotation\nLog files rotate frequently. What is the current log acquires a slightly different file name and a new log file is established. Take the syslog file as an example. This file is something of a catch-all for a lot of normal system messages. If you cd over to \/var\/log and take a look, you\u2019ll probably see a series of syslog files like this:\n$ ls -l syslog*\n-rw-r----- 1 syslog adm 28996 Jul 30 07:40 syslog\n-rw-r----- 1 syslog adm 71212 Jul 30 00:00 syslog.1\n-rw-r----- 1 syslog adm 5449 Jul 29 00:00 syslog.2.gz\n-rw-r----- 1 syslog adm 6152 Jul 28 00:00 syslog.3.gz\n-rw-r----- 1 syslog adm 7031 Jul 27 00:00 syslog.4.gz\n-rw-r----- 1 syslog adm 5602 Jul 26 00:00 syslog.5.gz\n-rw-r----- 1 syslog adm 5995 Jul 25 00:00 syslog.6.gz\n-rw-r----- 1 syslog adm 32924 Jul 24 00:00 syslog.7.gz\n\nRolled over at midnight each night, the older syslog files are kept for a week and then the oldest is deleted. The syslog.7.gz file will be tossed off the system and syslog.6.gz will be renamed syslog.7.gz. The remainder of the log files will follow suit until syslog becomes syslog.1 and a new syslog file is created. Some syslog files will be larger than others, but in general, none will likely ever get very large and you\u2019ll never see more than eight of them. This gives you just over a week to review any data they collect.\nThe number of files maintained for any particular log file depends on the log file itself. For some, you may have as many as 13. Notice how the older files \u2013 both for syslog and dpkg \u2013 are gzipped to save space. The thinking here is likely that you\u2019ll be most interested in the recent logs. Older logs can be unzipped with gunzip as needed.\n# ls -t dpkg*\ndpkg.log dpkg.log.3.gz dpkg.log.6.gz dpkg.log.9.gz dpkg.log.12.gz\ndpkg.log.1 dpkg.log.4.gz dpkg.log.7.gz dpkg.log.10.gz\ndpkg.log.2.gz dpkg.log.5.gz dpkg.log.8.gz dpkg.log.11.gz\n\nLog files can be rotated based on age, as well as by size. Keep this in mind as you examine your log files.\nLog file rotation can be configured differently if you are so inclined, though the defaults work for most Linux sysadmins. Take a look at files like \/etc\/rsyslog.conf and \/etc\/logrotate.conf for some of the details.\nMaking use of your log files\nManaging log files should also include using them from time to time. The first step in making use of log files should probably include getting used to what each log file can tell you about how your system is working and what problems it might have run into. Reading log files from top to bottom is almost never a good option, but knowing how to pull information from them can be of great benefit when you want to get a sense of how well your system is working or need to track down a problem. This also suggests that you have a general idea what kind of information is stored in each file. For example:\n$ who wtmp | tail -10\tshow the most recent logins\n$ who wtmp | grep shark\tshow recent logins for a particular user\n$ grep "sudo:" auth.log\tsee who is using sudo\n$ tail dmesg\t\t\tlook at kernel messages\n$ tail dpkg.log\t\t\tsee recently installed and updated packages\n$ more ufw.log\t\t\tsee firewall activity (i.e., if you are using ufw)\n\nSome commands that you run will also extract information from your log files. If you want to see, for example, a list of system reboots, you can use a command like this:\n$ last reboot\nreboot system boot 5.0.0-20-generic Tue Jul 16 13:19 still running\nreboot system boot 5.0.0-15-generic Sat May 18 17:26 - 15:19 (21+21:52)\nreboot system boot 5.0.0-13-generic Mon Apr 29 10:55 - 15:34 (18+04:39)\n\nUsing more advanced log managers\nWhile you can write scripts to make it easier to find interesting information in your log files, you should also be aware that there are some very sophisticated tools available for log file analysis. Some correlate information from multiple sources to get a fuller picture of what\u2019s happening on your network. They may provide real-time monitoring, as well. Tools such as Solarwinds Log & Event Manager and PRTG Network Monitor (which includes log monitoring) come to mind.\nThere are also some free tools that can help with analyzing log files. These include:\n\nLogwatch \u2014 program to scan system logs for interesting lines\nLogcheck \u2014 system log analyzer and reporter\n\nI'll provide some insights and help on these tools in upcoming posts.