Traditionally, Linux places most of its log files in /var/log. rsyslog is the the logging service that routes log messages to /var/log. A modern alternative is journalctl, which reads logs from systemd-journald
Inside /var/log/ we can find files like syslog, auth.log, and dmesg.1
journalctl
journalctl is the primary command-line tool used to view logs stored by systemd journal, which is an alternative to plain-text logs in /var/log/. Rather than having logs in multiple files, the unified interfaces means we can do stuff like see all logs since boot with journalctl -b, or check specific service logs with journalctl -u <service>.
auditd
auditd is a daemon that can be enabled in Linux to audit access and modifications in the system. It can be enabled with systemctl, and its rules are defined in /etc/audit/rules.d/
Footnotes
-
Note that this is slowly going away in systems with systemd, which prefer the systemd journal and the
journalctlaccess mode. ↩