Linux, Debian, and Ubuntu are the Kirk, Spock, and McCoy of modern application development. The Captain Kirk, Linux, is the open-source central code for directing and talking to hardware. Debian sits as the trio’s Spock, the original distro that can be seen as more complex to install and use. As a Debian child distro, Ubuntu is the McCoy, helping to heal the challenges that people have when trying to use Debian.
With a focus on being user-friendly, Ubuntu is often the Linux distro that new developers choose. Additionally, since the company that owns it, Canonical, releases security patches and other updates regularly, many organizations use the distro.
Developers and security teams should have an understanding of how to find and use Ubuntu logs so they can debug applications and identify security issues.
What is Ubuntu?
Ubuntu is a Debian-based distribution from Canonical whose founders sought to create an easy-to-use Linux desktop. Initially released in 2004, Ubuntu was the first Linux-based operating system providing predictable, scheduled releases, and updates.
Today, the desktop comes in many Ubuntu Flavors, and Recognized Flavors go through an official review process. Each Flavor uses the same repository for downloading updates, making the same set of packages available.
Additionally, special editions of Ubuntu offer a common infrastructure and software for:
- Servers
- OpenStack clouds
- Connected devices
Developers often choose Ubuntu because it offers the following:
- Stability and reliability: consistent updates for server and desktop environments
- Security: regular review and code updates to address identified issues
- Ease of use and management: default desktop environment and Advanced Package Tool (APT) for easy software installation, updating, and removal
- Scalability: ability to manage large workloads and process high data volumes for an ideal cloud-computing option
- Open source: ability to freely view, modify, and distribute source code
What are Ubuntu logs?
Ubuntu logs provide information about activities occurring on and to the system. The Ubuntu logs fall into the following categories based on their storage locations:
- System logs: information about the Ubuntu system, including authorizations, system daemons, and system messages
- Application logs: activities related to and generated by specific applications
- Non-human-readable logs: files designed for applications – not people – to read
The Ubuntu logs typically use plain ASCII text with a standard log file format, stored in the traditional system log subdirectory /var/log.
What is the System Logging Daemon (syslogd)?
Also called sysklogd, the system logging daemon (syslogd) waits for sources to generate log messages then forward them to the desired file or network location. Typically, these messages contain specific log information and other elements like system hostname or time-stamps.
When configuring syslogd, you should consider that every file has two fields:
- Selector: the facility to be logged and the priority level
- Action: either the log information’s target or where the log information is being sent
How to read Ubuntu logs
Ubuntu Desktop has a slightly modified version of the GNOME Desktop Environment installed by default. If your workstation uses Ubuntu and you have GNOME desktop installed, you can view logs with the GNOME System Log File Viewer, a user interface with a sidebar that helps locate the open log files. The Log File Viewer is menu-based that allows system administrators with root access to view and monitor system logs.
The Log File Viewer’s simple interface:
- Displays an open log files list, including their content
- Monitors changes to open log files by marking them in bold
The GNOME Log File Viewer enables you to:
- Open logs and expand some logs in the viewing panel
- Filter log content using regular expressions
- Search the currently open log to find relevant information
- Close logs to remove them from the viewing panel
What are some important system logs?
System logs tell you about your Ubuntu system’s functioning. Some key logs include:
- /var/log/auth.log: Authorization Log tracking authorization mechanisms like user passwords, Pluggable Authentication Module (PAM) systems, sudo commands, or remote login to sshd
- /var/log/daemon.log: information about programs running operations in the background that improve system performance, like the GNOME Display Manager daemon (gdm) or the MySQL database daemon (myslqd)
- /var/log/debug: messages related to system and application performance
- var/log/kern.log: detailed log with messages generated by the Ubuntu Linux kernel that can help with troubleshooting
- /var/log/syslog: system log with the most information about the system, containing information other logs lack
- /var/log/dmesg: messages from the kernel ring buffer containing information about the kernel bootup
What are some important application logs?
Your applications generate logs, sending the content to a subdirectory with their name included. Some important logs include:
- var/log/apache2/access.log: Ubuntu-specific logs for default Apache2 installations providing records about all the web server’s pages served and files loaded
- /var/log/apache2/error.log: Ubuntu-specific logs for default Apache2 installations providing records of all error conditions that the HTTP server reports
- /var/log/cups/error_log: default log file for the Common Unix Printing System (CUPS) with informational and error messages
- /var/log/rkhunter.log: messages that the Rootkit Hunter (rkhunter) utility generates after checking for backdoors, sniffers, and rootkits to look for indicators of compromise (IoCs)
- /var/log/samba/log.nmbd: network information from Samba Server Message Block Protocol (SMB) server related to Samba’s NETBIOS over IP function
- /var/log/samba/log.smbd: file and print sharing information from Samba SMB server related to Samba’s SMB/CIFS functionality
- /var/log/samba/log.[IP_ADDRESS]: messages from the Samba SMB server related to service requests from the listed IP address
- /var/log/Xorg.0.log: messages from the default X11 Windowing Server to help identify issues with the X11 environment
What are some important non-human-readable logs?
These logs are typically for applications. Some important examples include:
- /var/log/faillog: information about login failures that are intended to be parsed
- /var/log/lastlog: information used with the lastlog command but not typically parsed
- /var/log/wtmp: information that other utilities use, typically combined with other commands
Graylog and Ubuntu Logs: Aggregating and Analyzing Logs to Improve Operations and Security
Various log shippers like Filebeat, Auditbeat, and NXLog enable fast easy configuration for shipping logs for aggregation and analytics. Using the Graylog Beats input for Filebeat and Auditbeat or Graylog GELF input using NXLog, shipping Linx logs becomes easy. Using Graylog Sidecar configuration, you can manage logging levels for each Ubuntu log shipper. All of these logging levels and configurations are managed centrally inside Graylog.
With Graylog, you can ingest, parse, normalize, and correlate log events from across your IT environment, including Ubuntu and Windows. Graylog’s security analytics and anomaly detection capabilities enable you to get the cybersecurity platform you need without the complexity that makes your team’s job harder. With our powerful, lightning-fast features and intuitive user interface, you can lower your labor costs while reducing alert fatigue and getting the answers you need – quickly.
Our prebuilt search templates, dashboards, correlated alerts, and dynamic look-up tables enable you to get immediate value from your logs while empowering your security team.
