This information might now have some details that are redundant with information in the “Operating system logs” subsection of the Handling Data section (subsection about operating system logs).
First are descriptions of some various types of logs. (Then is the section about handling where the logs are kept.)
- Popular log types
- Unix log files
The following is based
some observations in OpenBSD, and may apply to other operating systems.
- Files (generalizations)
May be in /var/log/ which generally consists of text files and/or archives (such as text files compressed so they are
*.gz files). There may also be some non-text/binary files.
- A common text format
Many logs will include the name of software, possibly followed by square brackets and a PID within those square brackets, followed immediately by a colon, and then a space, and then a message. The name of the software may commonly be at the beginning of a line, or coming after white space. Other information might exist between the beginning of the line and the white space before the software name. For instance, in OpenBSD, /var/log/messages consists of: Date (year is assumed), Timestamp, system name, name of software/service (often followed by a PID number in brackets), colon, space, and message.
(This format might be named the “syslog” format?
Such entries might often be created using the
command, which may use
to actually write the files.
- Compressed logged files
OpenBSD manual page for
In OpenBSD (and other operating systems?), older log files may be automatically archived. So, in addition to a file with a name like messages, files with names like messages.0.gz and messages.1.gz may also exist. If those files are ending with a
*.gz filespec, then they may be viewed with “
” and, quite often, the alternative(s) of
” may also be available. In each of these cases, the output may be redirected using standard piping. More cumbersome, such older files may be extracted, but note that
may typically delete the file with the original compressed data, unless the
-cparameter is active. (There might also be other ways to extract the file, such as using p7zip's
User actions may be logged in a text file named /var/log/authlog and/or a file named /var/log/secure and/or a binary /var/log/wtmp file. (The system keeps track of who logs in using a /var/run/utmp file, according to OpenBSD manual page for “init”; that may vary among different systems.)
Actions taken by a specific user might be stored in ~/
*file(s) (perhaps in “hidden” files that use filenames of ~/.
*(starting with a period at the beginning of the filename). For further details on these logs, or similar, see: logging user activity.
- Microsoft Windows Platform's Logs
These are some logs that may be commonly used on Microsoft Windows platforms.
- [#wnevtlog]: Windows Event Logs
- See: Windows Event Logs.
- Dr. Watson logs
- Overview of Dr. Watson
- Windows Script Host log file
In versions of Microsoft Windows using a kernel that primarily came from updated versions based on Windows NT, the logs tend to use the operating system's standard logging interface. In Windows 95, Windows 98(SE), and Windows ME, WSH Log files were used.
- Windows update logs
MS KB 902093 refers to
%windir%\Windowsupdate.log and provides some details about interpreting the log. It also refers to setting some REG_DWORDs in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\ to turn “on an extended tracing to the
%systemroot%\Windowsupdate.log file, so that may be able to provide even more detail.
MS KB 818018 lists a few files: C:\Windows\Windows Update.log and C:\Windows\WindowsUpdate.log and "C:\Program Files\WindowsUpdate\V4\Iuhist.xml". (Presumably all of those may vary on some systems, but are the most common paths based on where Windows locations are commonly installed to.)
- Log Handling
- Centralized logging