Because Unix was designed for use in a time-sharing environment, Unix systems have always maintained log files that recorded who logged into the system and who logged out. Over time, the amount of information in the Unix log files has increased significantly. Today, Unix provides for dramatically expanded logging facilities that record such information as files that are transferred over the network, attempts by users to become the superuser, summary information about all electronic mail messages sent and received, every web page that is downloaded, and much more. In fact, practically any program that engages in periodic or repeating activity, or that runs without user intervention, can record in some log file the fact that it ran.
There are two primary ways that Unix log events can be recorded into a log file:
The event can be written directly into the log file by the program seeking to record the event.
The log event can be transmitted to the Unix syslog facility, which then makes the decision as to whether the event should be recorded and, if so, where.
Logs can be recorded in multiple locations:
The logs can be stored on the computer responsible for the log event. On modern Unix systems, logs are stored in the directory /var/log, and sometimes /var/adm, although other directories can be used by specific programs in specific cases.
The logs can be aggregated and stored on a remote computer. This computer, sometimes called a log server, can be used as a central ...