Sharing notes from my ongoing learning journey — what I build, break and understand along the way.
Understanding System Log Management
How I Discovered the Hidden Power of System Logs
While researching security-related topics, I kept coming across the term “logs.” I didn’t quite understand what made them so important at first. I thought logs were just boring text files the system writes.
But as I explored further, I realized that logs are like a black box for your system — they show what’s happening, who is trying to access, what failed, who ran what with what permission… basically everything you need to know.
This post is simply a summary of what I’ve started learning.
What Are Logs and What Are They Used For?
Log files record system events chronologically. They include:
- User logins and logouts
- Failed login attempts
- Server errors
- Application crashes
- Software updates or installs
Where to Find Logs?
In Linux-based systems, logs are typically stored in:
/var/log/
Examples:
| Log File | What It Contains |
|---|---|
/var/log/auth.log | Login attempts, sudo usage |
/var/log/syslog | General system messages |
/var/log/kern.log | Kernel-level messages |
/var/log/apache2/access.log | Web access logs |
/var/log/faillog | Failed logins |
Some Key Commands I’m Learning
Although I haven’t tried them all yet, these are on my list:
tail -f /var/log/auth.log
grep 'sudo' /var/log/auth.log
journalctl -u ssh
Log Rotation and Storage
Log files grow over time. The system uses something called logrotate to:
- Archive old logs
- Compress them if needed
- Start fresh new files regularly
Config files for this:
/etc/logrotate.conf
/etc/logrotate.d/
What About Fail2Ban?
I haven’t installed it yet, but it seems awesome. If someone tries the wrong password too many times, it detects the repeated failures and blocks the IP.
This means you don’t even have to check logs manually to stop an attack — it works automatically in the background.
There’s Even More to It…
There are advanced tools for centralized log collection:
- rsyslog: Send logs to another server
- Graylog: Visualize logs, get alerts
- ELK Stack: For large-scale systems, advanced analysis
I haven’t tried them yet, but I’m learning how they work and how to use them one day.
What I Learned
No matter how secure your system is, if you can’t see what’s going on behind the scenes, you’re blind.
Logs are not just for looking back — they help you see forward, to predict and detect threats early.
This post isn’t written as an expert guide — I’m learning all of this myself. But I wanted to document and share it.