Home/Tools/Security/Log Pattern Library

Log Pattern Library

A curated, browsable library of common application log file locations and the error patterns sysadmins monitor for — nginx, Apache, MySQL, PostgreSQL, Redis, MongoDB, sshd, Docker, systemd, PHP-FPM, Node.js, HAProxy, Postfix, fail2ban and cron. Each pattern includes a validated regex, an example matching line, and a ready-to-paste Alert24 agent config.

100% Private - Runs Entirely in Your Browser

No data is sent to any server. All processing happens locally on your device.

61 curated patterns across 16 applications. Every regex is validated to match the example line shown. Generated configs use Alert24’s file log-search schema.

nginx

Web servers

Access & error logs for the nginx web server / reverse proxy.

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
Access log	/var/log/nginx/access.log	(same)
Error log	/var/log/nginx/error.log	(same)

Log format example

192.0.2.10 - - [01/Jun/2026:10:15:42 +0000] "GET /api/orders HTTP/1.1" 502 166 "-" "curl/8.4.0"

2026/06/01 10:15:42 [error] 2913#2913: *5 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 192.0.2.10, server: example.com, request: "GET /api/orders HTTP/1.1", upstream: "http://127.0.0.1:8080/api/orders", host: "example.com"

Connection refused by upstream

Critical

Upstream is down — connect() failed / connection refused.

Regex pattern

connect\(\) failed \(111: Connection refused\)

Example matching line

2026/06/01 10:17:03 [error] 2913#2913: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 192.0.2.10, server: example.com, upstream: "http://127.0.0.1:8080/"

Alert24 agent config(/var/log/nginx/error.log)

{
  "name": "nginx_conn_refused",
  "source": "file",
  "path": "/var/log/nginx/error.log",
  "pattern": "connect\\(\\) failed \\(111: Connection refused\\)",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

5xx server errors (access log)

High

Any 5xx response status — backend failures, gateway errors, overload.

Regex pattern

" 5\d{2}

Example matching line

192.0.2.10 - - [01/Jun/2026:10:15:42 +0000] "GET /api/orders HTTP/1.1" 502 166 "-" "curl/8.4.0"

Alert24 agent config(/var/log/nginx/access.log)

{
  "name": "nginx_5xx",
  "source": "file",
  "path": "/var/log/nginx/access.log",
  "pattern": "\" 5\\d{2} ",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Upstream timed out

High

Backend/upstream did not respond in time — slow or dead app server.

Regex pattern

upstream timed out

Example matching line

2026/06/01 10:15:42 [error] 2913#2913: *5 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 192.0.2.10, server: example.com

Alert24 agent config(/var/log/nginx/error.log)

{
  "name": "nginx_upstream_timeout",
  "source": "file",
  "path": "/var/log/nginx/error.log",
  "pattern": "upstream timed out",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Worker connections exhausted

High

nginx is out of worker connections — raise worker_connections.

Regex pattern

worker_connections are not enough

Example matching line

2026/06/01 10:18:20 [alert] 2913#2913: 1024 worker_connections are not enough while connecting to upstream

Alert24 agent config(/var/log/nginx/error.log)

{
  "name": "nginx_worker_limit",
  "source": "file",
  "path": "/var/log/nginx/error.log",
  "pattern": "worker_connections are not enough",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

4xx client errors (access log)

Warning

4xx responses — broken links, auth failures, probing/scanning.

Regex pattern

" 4\d{2}

Example matching line

198.51.100.7 - - [01/Jun/2026:10:16:01 +0000] "GET /wp-login.php HTTP/1.1" 404 153 "-" "Mozilla/5.0"

Alert24 agent config(/var/log/nginx/access.log)

{
  "name": "nginx_4xx",
  "source": "file",
  "path": "/var/log/nginx/access.log",
  "pattern": "\" 4\\d{2} ",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Apache httpd

Web servers

Access & error logs for the Apache HTTP Server.

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
Access log	/var/log/apache2/access.log	/var/log/httpd/access_log
Error log	/var/log/apache2/error.log	/var/log/httpd/error_log

Log format example

192.0.2.10 - - [01/Jun/2026:10:15:42 +0000] "GET /index.html HTTP/1.1" 500 4523 "-" "Mozilla/5.0"

[Mon Jun 01 10:15:42.123456 2026] [proxy:error] [pid 2913:tid 140] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failed

Child segfault / exit signal

Critical

A worker process crashed (segmentation fault) — often a buggy module.

Regex pattern

exit signal Segmentation fault

Example matching line

[Mon Jun 01 10:20:11.000000 2026] [core:notice] [pid 1:tid 0] AH00052: child pid 4012 exit signal Segmentation fault (11)

Alert24 agent config(/var/log/apache2/error.log)

{
  "name": "apache_segfault",
  "source": "file",
  "path": "/var/log/apache2/error.log",
  "pattern": "exit signal Segmentation fault",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Proxy connection refused

Critical

Backend behind mod_proxy is unreachable.

Regex pattern

AH00957: \w+: attempt to connect to .* failed

Example matching line

[Mon Jun 01 10:15:42.123456 2026] [proxy:error] [pid 2913:tid 140] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failed

Alert24 agent config(/var/log/apache2/error.log)

{
  "name": "apache_proxy_refused",
  "source": "file",
  "path": "/var/log/apache2/error.log",
  "pattern": "AH00957: \\w+: attempt to connect to .* failed",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

5xx server errors (access log)

High

Any 5xx response — application or proxy failures.

Regex pattern

" 5\d{2}

Example matching line

192.0.2.10 - - [01/Jun/2026:10:15:42 +0000] "GET /index.html HTTP/1.1" 500 4523 "-" "Mozilla/5.0"

Alert24 agent config(/var/log/apache2/access.log)

{
  "name": "apache_5xx",
  "source": "file",
  "path": "/var/log/apache2/access.log",
  "pattern": "\" 5\\d{2} ",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

MaxRequestWorkers reached

High

Apache hit its worker ceiling — requests are queuing, raise the limit.

Regex pattern

reached MaxRequestWorkers setting

Example matching line

[Mon Jun 01 10:21:00.000000 2026] [mpm_event:error] [pid 2913:tid 140] AH00484: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

Alert24 agent config(/var/log/apache2/error.log)

{
  "name": "apache_maxclients",
  "source": "file",
  "path": "/var/log/apache2/error.log",
  "pattern": "reached MaxRequestWorkers setting",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

MySQL / MariaDB

Databases

Error log and slow query log for MySQL and MariaDB servers.

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
Error log	/var/log/mysql/error.log	/var/log/mysqld.log
Slow query log	/var/log/mysql/mysql-slow.log	/var/log/mysql-slow.log

Log format example

2026-06-01T10:15:42.123456Z 8 [ERROR] [MY-010914] [Server] Got an error reading communication packets

2026-06-01T10:15:42.123456Z 0 [Warning] [MY-010055] Too many connections

# Query_time: 12.840000  Lock_time: 0.000100 Rows_sent: 1  Rows_examined: 4821990

Too many connections

Critical

Connection limit reached — clients are being rejected. Raise max_connections or fix a leak.

Regex pattern

Too many connections

Example matching line

2026-06-01T10:15:42.123456Z 0 [Warning] [MY-010055] Too many connections

Alert24 agent config(/var/log/mysql/error.log)

{
  "name": "mysql_too_many_conns",
  "source": "file",
  "path": "/var/log/mysql/error.log",
  "pattern": "Too many connections",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Crash recovery / InnoDB error

Critical

InnoDB encountered an error or is recovering after an unclean shutdown.

Regex pattern

\[ERROR\].*InnoDB

Example matching line

2026-06-01T10:18:00.000000Z 0 [ERROR] [MY-012560] InnoDB: The log sequence number is in the future!

Alert24 agent config(/var/log/mysql/error.log)

{
  "name": "mysql_crash_recovery",
  "source": "file",
  "path": "/var/log/mysql/error.log",
  "pattern": "\\[ERROR\\].*InnoDB",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Deadlock detected

High

InnoDB rolled back a transaction to break a deadlock.

Regex pattern

Deadlock found when trying to get lock

Example matching line

2026-06-01T10:16:10.000000Z 12 [Warning] [MY-013360] InnoDB: Deadlock found when trying to get lock; try restarting transaction

Alert24 agent config(/var/log/mysql/error.log)

{
  "name": "mysql_deadlock",
  "source": "file",
  "path": "/var/log/mysql/error.log",
  "pattern": "Deadlock found when trying to get lock",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Aborted connection

Warning

Clients disconnecting mid-query — network issues, timeouts, or crashing app workers.

Regex pattern

Aborted connection \d+ to db

Example matching line

2026-06-01T10:17:01.000000Z 33 [Note] [MY-010914] [Server] Aborted connection 33 to db: 'app' user: 'app' host: '10.0.0.5' (Got timeout reading communication packets)

Alert24 agent config(/var/log/mysql/error.log)

{
  "name": "mysql_aborted_connection",
  "source": "file",
  "path": "/var/log/mysql/error.log",
  "pattern": "Aborted connection \\d+ to db",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Slow query over 10s

Warning

Slow-log entries whose Query_time exceeds 10 seconds.

Regex pattern

# Query_time: (?:[1-9]\d|\d{2,})\.

Example matching line

# Query_time: 12.840000  Lock_time: 0.000100 Rows_sent: 1  Rows_examined: 4821990

Alert24 agent config(/var/log/mysql/mysql-slow.log)

{
  "name": "mysql_slow_query",
  "source": "file",
  "path": "/var/log/mysql/mysql-slow.log",
  "pattern": "# Query_time: (?:[1-9]\\d|\\d{2,})\\.",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

PostgreSQL

Databases

Server log for PostgreSQL (stderr / logging collector).

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
Log directory	/var/log/postgresql/postgresql-*.log	/var/lib/pgsql/data/log/postgresql-*.log

Log format example

2026-06-01 10:15:42.123 UTC [2913] FATAL:  password authentication failed for user "app"

2026-06-01 10:16:10.000 UTC [3001] ERROR:  deadlock detected

2026-06-01 10:17:00.000 UTC [3050] LOG:  duration: 8421.337 ms  statement: SELECT * FROM orders

Too many clients

Critical

Connection slots exhausted — raise max_connections or add a pooler (PgBouncer).

Regex pattern

too many clients already

Example matching line

2026-06-01 10:16:30.000 UTC [3010] FATAL:  sorry, too many clients already

Alert24 agent config(/var/log/postgresql/postgresql-*.log)

{
  "name": "postgres_too_many_clients",
  "source": "file",
  "path": "/var/log/postgresql/postgresql-*.log",
  "pattern": "too many clients already",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

FATAL messages

High

Connection/auth failures, too many clients, recovery aborts — anything PostgreSQL logs as FATAL.

Regex pattern

\bFATAL:

Example matching line

2026-06-01 10:15:42.123 UTC [2913] FATAL:  password authentication failed for user "app"

Alert24 agent config(/var/log/postgresql/postgresql-*.log)

{
  "name": "postgres_fatal",
  "source": "file",
  "path": "/var/log/postgresql/postgresql-*.log",
  "pattern": "\\bFATAL:",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Deadlock detected

High

A transaction was aborted to resolve a deadlock.

Regex pattern

deadlock detected

Example matching line

2026-06-01 10:16:10.000 UTC [3001] ERROR:  deadlock detected

Alert24 agent config(/var/log/postgresql/postgresql-*.log)

{
  "name": "postgres_deadlock",
  "source": "file",
  "path": "/var/log/postgresql/postgresql-*.log",
  "pattern": "deadlock detected",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Slow statement (duration)

Warning

Statements logged by log_min_duration_statement taking over 1 second.

Regex pattern

duration: \d{4,}\.\d+ ms

Example matching line

2026-06-01 10:17:00.000 UTC [3050] LOG:  duration: 8421.337 ms  statement: SELECT * FROM orders

Alert24 agent config(/var/log/postgresql/postgresql-*.log)

{
  "name": "postgres_slow_statement",
  "source": "file",
  "path": "/var/log/postgresql/postgresql-*.log",
  "pattern": "duration: \\d{4,}\\.\\d+ ms",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Checkpoints occurring too frequently

Warning

WAL checkpoints firing too often — increase max_wal_size to reduce I/O.

Regex pattern

checkpoints are occurring too frequently

Example matching line

2026-06-01 10:18:00.000 UTC [2900] LOG:  checkpoints are occurring too frequently (9 seconds apart)

Alert24 agent config(/var/log/postgresql/postgresql-*.log)

{
  "name": "postgres_checkpoint_frequent",
  "source": "file",
  "path": "/var/log/postgresql/postgresql-*.log",
  "pattern": "checkpoints are occurring too frequently",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Redis

Caching & queues

Server log for the Redis in-memory data store.

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
Server log	/var/log/redis/redis-server.log	/var/log/redis/redis.log

Log format example

2913:M 01 Jun 2026 10:15:42.123 # MISCONF Redis is configured to save RDB snapshots, but it is currently not able to persist on disk.

2913:M 01 Jun 2026 10:16:10.000 * Background saving terminated with success

MISCONF persistence error

Critical

Redis cannot persist to disk and is rejecting writes — full disk or broken RDB/AOF.

Regex pattern

MISCONF

Example matching line

2913:M 01 Jun 2026 10:15:42.123 # MISCONF Redis is configured to save RDB snapshots, but it is currently not able to persist on disk.

Alert24 agent config(/var/log/redis/redis-server.log)

{
  "name": "redis_misconf",
  "source": "file",
  "path": "/var/log/redis/redis-server.log",
  "pattern": "MISCONF",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

OOM command rejected

Critical

Writes rejected because maxmemory was hit with no eviction policy.

Regex pattern

OOM command not allowed

Example matching line

2913:M 01 Jun 2026 10:18:00.000 # OOM command not allowed when used memory > 'maxmemory'.

Alert24 agent config(/var/log/redis/redis-server.log)

{
  "name": "redis_oom",
  "source": "file",
  "path": "/var/log/redis/redis-server.log",
  "pattern": "OOM command not allowed",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Background save failed

High

A background RDB save (fork) failed — out of memory or disk.

Regex pattern

Background saving error

Example matching line

2913:M 01 Jun 2026 10:17:00.000 # Background saving error

Alert24 agent config(/var/log/redis/redis-server.log)

{
  "name": "redis_bgsave_failed",
  "source": "file",
  "path": "/var/log/redis/redis-server.log",
  "pattern": "Background saving error",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Memory overcommit warning

Warning

vm.overcommit_memory not set to 1 — background saves and replication may fail under load.

Regex pattern

overcommit_memory is set to 0

Example matching line

2913:M 01 Jun 2026 10:14:00.000 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition.

Alert24 agent config(/var/log/redis/redis-server.log)

{
  "name": "redis_overcommit",
  "source": "file",
  "path": "/var/log/redis/redis-server.log",
  "pattern": "overcommit_memory is set to 0",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

MongoDB

Databases

Structured JSON log (mongod) for MongoDB 4.4+.

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
Server log	/var/log/mongodb/mongod.log	(same)

Log format example

{"t":{"$date":"2026-06-01T10:15:42.123+00:00"},"s":"E","c":"NETWORK","id":22942,"ctx":"conn5","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141}}}

{"t":{"$date":"2026-06-01T10:17:00.000+00:00"},"s":"I","c":"COMMAND","ctx":"conn9","msg":"Slow query","attr":{"durationMillis":4210}}

WiredTiger storage error

Critical

Storage-engine errors — disk problems or corruption.

Regex pattern

"c":"STORAGE".*"s":"E"

Example matching line

{"t":{"$date":"2026-06-01T10:19:00.000+00:00"},"c":"STORAGE","s":"E","ctx":"conn1","msg":"WiredTiger error","attr":{"error":-31802}}

Alert24 agent config(/var/log/mongodb/mongod.log)

{
  "name": "mongodb_wt_error",
  "source": "file",
  "path": "/var/log/mongodb/mongod.log",
  "pattern": "\"c\":\"STORAGE\".*\"s\":\"E\"",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Error / Fatal severity

High

Log entries with severity "E" (error) or "F" (fatal).

Regex pattern

"s":"[EF]"

Example matching line

{"t":{"$date":"2026-06-01T10:15:42.123+00:00"},"s":"E","c":"NETWORK","id":22942,"ctx":"conn5","msg":"Error receiving request from client. Ending connection from remote"}

Alert24 agent config(/var/log/mongodb/mongod.log)

{
  "name": "mongodb_severe",
  "source": "file",
  "path": "/var/log/mongodb/mongod.log",
  "pattern": "\"s\":\"[EF]\"",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Replica set election

High

A new primary is being elected — replica set instability or failover.

Regex pattern

"msg":"Starting an election

Example matching line

{"t":{"$date":"2026-06-01T10:18:00.000+00:00"},"s":"I","c":"ELECTION","ctx":"conn1","msg":"Starting an election, since we have not seen a primary"}

Alert24 agent config(/var/log/mongodb/mongod.log)

{
  "name": "mongodb_election",
  "source": "file",
  "path": "/var/log/mongodb/mongod.log",
  "pattern": "\"msg\":\"Starting an election",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Slow query

Warning

Operations exceeding the slow-op threshold (default 100ms).

Regex pattern

"msg":"Slow query"

Example matching line

{"t":{"$date":"2026-06-01T10:17:00.000+00:00"},"s":"I","c":"COMMAND","ctx":"conn9","msg":"Slow query","attr":{"durationMillis":4210}}

Alert24 agent config(/var/log/mongodb/mongod.log)

{
  "name": "mongodb_slow_query",
  "source": "file",
  "path": "/var/log/mongodb/mongod.log",
  "pattern": "\"msg\":\"Slow query\"",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

sshd / auth.log

System & auth

SSH daemon authentication events (PAM / auth facility).

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
Auth log	/var/log/auth.log	/var/log/secure

Log format example

Jun  1 10:15:42 web-01 sshd[2913]: Failed password for invalid user admin from 198.51.100.7 port 51022 ssh2

Jun  1 10:16:10 web-01 sshd[2914]: Accepted publickey for deploy from 10.0.0.5 port 51044 ssh2: RSA SHA256:abc123

Failed password

High

Failed SSH password attempts — brute-force probing if frequent.

Regex pattern

Failed password for

Example matching line

Jun  1 10:15:42 web-01 sshd[2913]: Failed password for invalid user admin from 198.51.100.7 port 51022 ssh2

Alert24 agent config(/var/log/auth.log)

{
  "name": "sshd_failed_password",
  "source": "file",
  "path": "/var/log/auth.log",
  "pattern": "Failed password for",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Root login attempt

High

Any authentication targeting the root account directly.

Regex pattern

(?:Failed|Accepted) \S+ for root from

Example matching line

Jun  1 10:17:00 web-01 sshd[2915]: Failed password for root from 198.51.100.7 port 51066 ssh2

Alert24 agent config(/var/log/auth.log)

{
  "name": "sshd_root_login",
  "source": "file",
  "path": "/var/log/auth.log",
  "pattern": "(?:Failed|Accepted) \\S+ for root from",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Invalid user

Warning

Regex pattern

Invalid user \S+ from

Example matching line

Jun  1 10:15:41 web-01 sshd[2913]: Invalid user admin from 198.51.100.7 port 51022

Alert24 agent config(/var/log/auth.log)

{
  "name": "sshd_invalid_user",
  "source": "file",
  "path": "/var/log/auth.log",
  "pattern": "Invalid user \\S+ from",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Accepted login

Info

Successful SSH logins (publickey or password) — track who got in.

Regex pattern

Accepted (?:publickey|password) for

Example matching line

Jun  1 10:16:10 web-01 sshd[2914]: Accepted publickey for deploy from 10.0.0.5 port 51044 ssh2: RSA SHA256:abc123

Alert24 agent config(/var/log/auth.log)

{
  "name": "sshd_accepted",
  "source": "file",
  "path": "/var/log/auth.log",
  "pattern": "Accepted (?:publickey|password) for",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

syslog / kernel (OOM)

System & auth

System log — kernel messages, OOM killer, and service crashes.

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
System log	/var/log/syslog	/var/log/messages
Kernel log	/var/log/kern.log	/var/log/messages

Log format example

Jun  1 10:15:42 web-01 kernel: [12345.678901] Out of memory: Killed process 4012 (mysqld) total-vm:8400000kB

Jun  1 10:16:10 web-01 systemd[1]: nginx.service: Main process exited, code=killed, status=9/KILL

OOM killer invoked

Critical

The kernel killed a process to reclaim memory — server is out of RAM.

Regex pattern

Out of memory: Killed process

Example matching line

Jun  1 10:15:42 web-01 kernel: [12345.678901] Out of memory: Killed process 4012 (mysqld) total-vm:8400000kB

Alert24 agent config(/var/log/syslog)

{
  "name": "oom_killer",
  "source": "file",
  "path": "/var/log/syslog",
  "pattern": "Out of memory: Killed process",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Disk / I/O error

Critical

Block-layer I/O errors — failing or saturated storage.

Regex pattern

I/O error.*dev \w+

Example matching line

Jun  1 10:18:00 web-01 kernel: [12400.000000] blk_update_request: I/O error, dev sda, sector 123456789

Alert24 agent config(/var/log/kern.log)

{
  "name": "kernel_io_error",
  "source": "file",
  "path": "/var/log/kern.log",
  "pattern": "I/O error.*dev \\w+",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

oom-killer triggered

High

A process invoked the OOM killer — memory pressure event.

Regex pattern

invoked oom-killer

Example matching line

Jun  1 10:15:41 web-01 kernel: [12345.600000] nginx invoked oom-killer: gfp_mask=0x100cca, order=0, oom_score_adj=0

Alert24 agent config(/var/log/syslog)

{
  "name": "oom_invoked",
  "source": "file",
  "path": "/var/log/syslog",
  "pattern": "invoked oom-killer",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Service killed by signal

High

A systemd-managed service was killed (e.g. SIGKILL) — crash or OOM.

Regex pattern

Main process exited, code=killed

Example matching line

Jun  1 10:16:10 web-01 systemd[1]: nginx.service: Main process exited, code=killed, status=9/KILL

Alert24 agent config(/var/log/syslog)

{
  "name": "systemd_killed",
  "source": "file",
  "path": "/var/log/syslog",
  "pattern": "Main process exited, code=killed",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

systemd journal

System & auth

The systemd journal (journalctl). On Alert24 prefer the journald source for live units.

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
Journal store (binary)	/var/log/journal/ (query with journalctl)	(same)
Persisted text (if ForwardToSyslog)	/var/log/syslog	/var/log/messages

Log format example

Jun 01 10:15:42 web-01 myapp[2913]: ERROR could not connect to database: connection refused

Jun 01 10:16:10 web-01 systemd[1]: myapp.service: Failed with result 'exit-code'.

Start request repeated too quickly

Critical

A service is crash-looping and systemd stopped restarting it.

Regex pattern

Start request repeated too quickly

Example matching line

Jun 01 10:17:00 web-01 systemd[1]: myapp.service: Start request repeated too quickly.

Alert24 agent config(/var/log/syslog)

{
  "name": "systemd_start_limit",
  "source": "file",
  "path": "/var/log/syslog",
  "pattern": "Start request repeated too quickly",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Unit failed

High

A service entered the failed state.

Regex pattern

Failed with result

Example matching line

Jun 01 10:16:10 web-01 systemd[1]: myapp.service: Failed with result 'exit-code'.

Alert24 agent config(/var/log/syslog)

{
  "name": "systemd_unit_failed",
  "source": "file",
  "path": "/var/log/syslog",
  "pattern": "Failed with result",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Application ERROR/FATAL

High

Generic ERROR or FATAL emitted by a service to the journal.

Regex pattern

\b(?:ERROR|FATAL)\b

Example matching line

Jun 01 10:15:42 web-01 myapp[2913]: ERROR could not connect to database: connection refused

Alert24 agent config(/var/log/syslog)

{
  "name": "systemd_app_error",
  "source": "file",
  "path": "/var/log/syslog",
  "pattern": "\\b(?:ERROR|FATAL)\\b",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

PHP-FPM

Runtimes

FastCGI Process Manager pool/error logs for PHP.

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
FPM error log	/var/log/php8.2-fpm.log	/var/log/php-fpm/error.log
Pool log (www)	/var/log/php-fpm/www-error.log	/var/log/php-fpm/www-error.log

Log format example

[01-Jun-2026 10:15:42] WARNING: [pool www] server reached pm.max_children setting (50), consider raising it

[01-Jun-2026 10:16:10] WARNING: [pool www] child 4012 exited on signal 11 (SIGSEGV) after 120.5 seconds from start

Worker segfault

Critical

An FPM worker crashed (SIGSEGV) — buggy extension or code.

Regex pattern

exited on signal 11 \(SIGSEGV\)

Example matching line

[01-Jun-2026 10:16:10] WARNING: [pool www] child 4012 exited on signal 11 (SIGSEGV) after 120.5 seconds from start

Alert24 agent config(/var/log/php8.2-fpm.log)

{
  "name": "phpfpm_child_segfault",
  "source": "file",
  "path": "/var/log/php8.2-fpm.log",
  "pattern": "exited on signal 11 \\(SIGSEGV\\)",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

max_children reached

High

The FPM pool is saturated — requests are queuing. Raise pm.max_children.

Regex pattern

reached pm\.max_children setting

Example matching line

[01-Jun-2026 10:15:42] WARNING: [pool www] server reached pm.max_children setting (50), consider raising it

Alert24 agent config(/var/log/php8.2-fpm.log)

{
  "name": "phpfpm_max_children",
  "source": "file",
  "path": "/var/log/php8.2-fpm.log",
  "pattern": "reached pm\\.max_children setting",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Script execution timeout

High

A request exceeded request_terminate_timeout and was killed.

Regex pattern

execution timed out

Example matching line

[01-Jun-2026 10:17:00] WARNING: [pool www] child 4015, script '/var/www/app/index.php' (request: "GET /index.php") execution timed out (35.123456 sec), terminating

Alert24 agent config(/var/log/php8.2-fpm.log)

{
  "name": "phpfpm_exec_timeout",
  "source": "file",
  "path": "/var/log/php8.2-fpm.log",
  "pattern": "execution timed out",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Node.js / PM2

Runtimes

Application stdout/stderr captured by PM2 (or systemd).

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
PM2 error log	~/.pm2/logs/<app>-error.log	(same)
PM2 output log	~/.pm2/logs/<app>-out.log	(same)
PM2 daemon log	~/.pm2/pm2.log	(same)

Log format example

Error: connect ECONNREFUSED 127.0.0.1:5432

FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory

JavaScript heap out of memory

Critical

V8 ran out of heap and the process aborted — raise --max-old-space-size or fix a leak.

Regex pattern

JavaScript heap out of memory

Example matching line

FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory

Alert24 agent config(~/.pm2/logs/app-error.log)

{
  "name": "node_heap_oom",
  "source": "file",
  "path": "~/.pm2/logs/app-error.log",
  "pattern": "JavaScript heap out of memory",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Uncaught exception

Critical

An exception bubbled to the top of the event loop — process likely exited.

Regex pattern

uncaughtException

Example matching line

[2026-06-01T10:17:00.000Z] uncaughtException: TypeError: Cannot read properties of undefined

Alert24 agent config(~/.pm2/logs/app-error.log)

{
  "name": "node_uncaught",
  "source": "file",
  "path": "~/.pm2/logs/app-error.log",
  "pattern": "uncaughtException",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Unhandled promise rejection

High

A rejected promise with no handler — a latent crash in newer Node versions.

Regex pattern

UnhandledPromiseRejection

Example matching line

[2026-06-01T10:15:42.123Z] UnhandledPromiseRejectionWarning: Error: connect ECONNREFUSED 127.0.0.1:5432

Alert24 agent config(~/.pm2/logs/app-error.log)

{
  "name": "node_unhandled_rejection",
  "source": "file",
  "path": "~/.pm2/logs/app-error.log",
  "pattern": "UnhandledPromiseRejection",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

ECONNREFUSED

High

A downstream service (DB, cache, API) refused the connection.

Regex pattern

ECONNREFUSED

Example matching line

Error: connect ECONNREFUSED 127.0.0.1:5432

Alert24 agent config(~/.pm2/logs/app-error.log)

{
  "name": "node_econnrefused",
  "source": "file",
  "path": "~/.pm2/logs/app-error.log",
  "pattern": "ECONNREFUSED",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

HAProxy

Web servers

Load-balancer logs (via syslog/journald), default HTTP log format.

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
HAProxy log	/var/log/haproxy.log	/var/log/haproxy.log

Log format example

Jun  1 10:15:42 lb-01 haproxy[2913]: 192.0.2.10:51022 [01/Jun/2026:10:15:42.123] fe_http be_app/web1 0/0/1/12/13 503 217 - - SC-- 5/5/0/0/0 0/0 "GET /api HTTP/1.1"

Jun  1 10:16:10 lb-01 haproxy[2913]: Server be_app/web2 is DOWN, reason: Layer4 connection problem, info: "Connection refused"

Backend server DOWN

Critical

A health check marked a backend server down.

Regex pattern

Server \S+ is DOWN

Example matching line

Jun  1 10:16:10 lb-01 haproxy[2913]: Server be_app/web2 is DOWN, reason: Layer4 connection problem, info: "Connection refused"

Alert24 agent config(/var/log/haproxy.log)

{
  "name": "haproxy_server_down",
  "source": "file",
  "path": "/var/log/haproxy.log",
  "pattern": "Server \\S+ is DOWN",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

No server available

Critical

A backend has no healthy servers left — full outage for that pool.

Regex pattern

backend \S+ has no server available

Example matching line

Jun  1 10:17:00 lb-01 haproxy[2913]: backend be_app has no server available!

Alert24 agent config(/var/log/haproxy.log)

{
  "name": "haproxy_no_server",
  "source": "file",
  "path": "/var/log/haproxy.log",
  "pattern": "backend \\S+ has no server available",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

5xx returned to client

High

HAProxy returned a 5xx — backend errors or HAProxy-generated 503 (no server available).

Regex pattern

 (?:500|502|503|504) \d+

Example matching line

Jun  1 10:15:42 lb-01 haproxy[2913]: 192.0.2.10:51022 [01/Jun/2026:10:15:42.123] fe_http be_app/web1 0/0/1/12/13 503 217 - - SC-- 5/5/0/0/0 0/0 "GET /api HTTP/1.1"

Alert24 agent config(/var/log/haproxy.log)

{
  "name": "haproxy_5xx",
  "source": "file",
  "path": "/var/log/haproxy.log",
  "pattern": " (?:500|502|503|504) \\d+ ",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Postfix

Mail & security

Mail Transfer Agent log (maillog).

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
Mail log	/var/log/mail.log	/var/log/maillog
Mail errors	/var/log/mail.err	/var/log/maillog

Log format example

Jun  1 10:15:42 mail-01 postfix/smtp[2913]: A1B2C3: to=<[email protected]>, relay=mx.example.org[203.0.113.5]:25, delay=2.1, status=bounced (host mx.example.org said: 550 5.1.1 User unknown)

Jun  1 10:16:10 mail-01 postfix/smtpd[2914]: warning: hostname unknown: address not listed for hostname

Queue file write error

Critical

Postfix cannot write to the queue — disk full or permission issue.

Regex pattern

queue file write error

Example matching line

Jun  1 10:17:00 mail-01 postfix/cleanup[2915]: warning: A7B8C9: queue file write error

Alert24 agent config(/var/log/mail.log)

{
  "name": "postfix_queue_full",
  "source": "file",
  "path": "/var/log/mail.log",
  "pattern": "queue file write error",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Message bounced

Warning

A message was bounced by the remote MTA — bad recipient or policy reject.

Regex pattern

status=bounced

Example matching line

Jun  1 10:15:42 mail-01 postfix/smtp[2913]: A1B2C3: to=<[email protected]>, relay=mx.example.org[203.0.113.5]:25, status=bounced (host mx.example.org said: 550 5.1.1 User unknown)

Alert24 agent config(/var/log/mail.log)

{
  "name": "postfix_bounced",
  "source": "file",
  "path": "/var/log/mail.log",
  "pattern": "status=bounced",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Message deferred

Warning

Delivery was deferred and will be retried — connectivity or greylisting.

Regex pattern

status=deferred

Example matching line

Jun  1 10:16:00 mail-01 postfix/smtp[2913]: D4E5F6: to=<[email protected]>, relay=none, status=deferred (connect to example.net: Connection timed out)

Alert24 agent config(/var/log/mail.log)

{
  "name": "postfix_deferred",
  "source": "file",
  "path": "/var/log/mail.log",
  "pattern": "status=deferred",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Relay access denied

Warning

A client tried to relay through your server and was refused — possible abuse.

Regex pattern

Relay access denied

Example matching line

Jun  1 10:18:00 mail-01 postfix/smtpd[2916]: NOQUEUE: reject: RCPT from unknown[198.51.100.7]: 554 5.7.1 <[email protected]>: Relay access denied

Alert24 agent config(/var/log/mail.log)

{
  "name": "postfix_relay_denied",
  "source": "file",
  "path": "/var/log/mail.log",
  "pattern": "Relay access denied",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

fail2ban

Mail & security

Intrusion-prevention log — bans/unbans across jails.

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
fail2ban log	/var/log/fail2ban.log	/var/log/fail2ban.log

Log format example

2026-06-01 10:15:42,123 fail2ban.actions [2913]: NOTICE [sshd] Ban 198.51.100.7

2026-06-01 10:25:42,000 fail2ban.actions [2913]: NOTICE [sshd] Unban 198.51.100.7

fail2ban error

High

fail2ban itself logged an error — a broken filter/action or unreadable log.

Regex pattern

fail2ban\.\S+\s+\[\d+\]: ERROR

Example matching line

2026-06-01 10:16:00,000 fail2ban.actions [2913]: ERROR Failed to execute ban jail 'sshd' action 'iptables-multiport'

Alert24 agent config(/var/log/fail2ban.log)

{
  "name": "fail2ban_error",
  "source": "file",
  "path": "/var/log/fail2ban.log",
  "pattern": "fail2ban\\.\\S+\\s+\\[\\d+\\]: ERROR",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

IP banned

Warning

fail2ban banned an address — track ban volume as an attack indicator.

Regex pattern

\[\S+\] Ban \d{1,3}(?:\.\d{1,3}){3}

Example matching line

2026-06-01 10:15:42,123 fail2ban.actions [2913]: NOTICE [sshd] Ban 198.51.100.7

Alert24 agent config(/var/log/fail2ban.log)

{
  "name": "fail2ban_ban",
  "source": "file",
  "path": "/var/log/fail2ban.log",
  "pattern": "\\[\\S+\\] Ban \\d{1,3}(?:\\.\\d{1,3}){3}",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Match found

Info

A failure matched a jail filter (precedes a ban once maxretry is hit).

Regex pattern

\] Found \d{1,3}(?:\.\d{1,3}){3}

Example matching line

2026-06-01 10:15:40,000 fail2ban.filter [2913]: INFO [sshd] Found 198.51.100.7 - 2026-06-01 10:15:40

Alert24 agent config(/var/log/fail2ban.log)

{
  "name": "fail2ban_found",
  "source": "file",
  "path": "/var/log/fail2ban.log",
  "pattern": "\\] Found \\d{1,3}(?:\\.\\d{1,3}){3}",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

cron

Scheduling

Scheduled-job execution log (cron daemon).

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
Cron log (dedicated)	/var/log/cron.log	/var/log/cron
Cron via syslog	/var/log/syslog	/var/log/messages

Log format example

Jun  1 10:15:01 web-01 CRON[2913]: (root) CMD (/usr/local/bin/backup.sh)

Jun  1 10:15:01 web-01 CRON[2913]: (CRON) error (grandchild #2914 failed with exit status 1)

Cron job failed

High

A cron grandchild exited non-zero — a scheduled job failed.

Regex pattern

failed with exit status [1-9]

Example matching line

Jun  1 10:15:01 web-01 CRON[2913]: (CRON) error (grandchild #2914 failed with exit status 1)

Alert24 agent config(/var/log/syslog)

{
  "name": "cron_job_error",
  "source": "file",
  "path": "/var/log/syslog",
  "pattern": "failed with exit status [1-9]",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

No MTA to mail output

Warning

Cron produced output but could not mail it — silent job failures may go unnoticed.

Regex pattern

No MTA installed, discarding output

Example matching line

Jun  1 10:15:01 web-01 CRON[2913]: (root) MAIL (mailed 120 bytes of output but got status 0x004b from MTA) No MTA installed, discarding output

Alert24 agent config(/var/log/syslog)

{
  "name": "cron_no_mta",
  "source": "file",
  "path": "/var/log/syslog",
  "pattern": "No MTA installed, discarding output",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Job executed

Info

Every command cron runs — useful as a heartbeat that a job is firing at all.

Regex pattern

CRON\[\d+\]: \(\S+\) CMD

Example matching line

Jun  1 10:15:01 web-01 CRON[2913]: (root) CMD (/usr/local/bin/backup.sh)

Alert24 agent config(/var/log/syslog)

{
  "name": "cron_exec",
  "source": "file",
  "path": "/var/log/syslog",
  "pattern": "CRON\\[\\d+\\]: \\(\\S+\\) CMD ",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Docker (json-file logs)

Containers

Per-container logs written by the default json-file logging driver.

Default log locations

What	Debian / Ubuntu	RHEL / CentOS
Container log (json-file)	/var/lib/docker/containers//-json.log	(same)
Docker daemon (journald)	journalctl -u docker.service	(same)

Log format example

{"log":"ERROR could not connect to database: connection refused\n","stream":"stderr","time":"2026-06-01T10:15:42.123456789Z"}

{"log":"panic: runtime error: invalid memory address or nil pointer dereference\n","stream":"stderr","time":"2026-06-01T10:16:10.000000000Z"}

Go / runtime panic

Critical

A panic written to a container log — a crashing Go (or similar) service.

Regex pattern

"log":"panic:

Example matching line

{"log":"panic: runtime error: invalid memory address or nil pointer dereference\n","stream":"stderr","time":"2026-06-01T10:16:10.000000000Z"}

Alert24 agent config(/var/lib/docker/containers/*/*-json.log)

{
  "name": "docker_panic",
  "source": "file",
  "path": "/var/lib/docker/containers/*/*-json.log",
  "pattern": "\"log\":\"panic:",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Container OOM killed

Critical

A container was OOM-killed (daemon log) — it exceeded its memory limit.

Regex pattern

oom-kill

Example matching line

Jun  1 10:17:00 web-01 dockerd[900]: time="2026-06-01T10:17:00Z" level=info msg="oom-kill triggered for container abc123"

Alert24 agent config(/var/log/syslog)

{
  "name": "docker_oom",
  "source": "file",
  "path": "/var/log/syslog",
  "pattern": "oom-kill",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Container error/exception

High

ERROR/FATAL/Exception lines emitted by any container to its json-file log.

Regex pattern

"log":"(?:.*\b(?:ERROR|FATAL|Exception)\b)

Example matching line

{"log":"ERROR could not connect to database: connection refused\n","stream":"stderr","time":"2026-06-01T10:15:42.123456789Z"}

Alert24 agent config(/var/lib/docker/containers/*/*-json.log)

{
  "name": "docker_stderr_error",
  "source": "file",
  "path": "/var/lib/docker/containers/*/*-json.log",
  "pattern": "\"log\":\"(?:.*\\b(?:ERROR|FATAL|Exception)\\b)",
  "pattern_type": "regex"
}

Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.

Stop tailing logs by hand

Get alerted when your logs go wrong

Alert24’s lightweight agent watches your log files where they live and alerts on error spikes, pattern matches, log floods, and sudden silence — no log shipping, no SIEM bill, no per-GB ingest pricing.

Try Alert24 log monitoring

Alert24 includes 3 server agents free. Paid plans add 5 agents per unit; log-search monitoring is a paid feature.

Ready to take this to the next level?

Our team can help implement enterprise-grade solutions. Get personalized recommendations in a free 30-minute consultation.

Schedule Free Consultation See How We Help

Where Linux Logs Live

Most server software on Linux writes plain-text logs under /var/log, following the Filesystem Hierarchy Standard. The exact filenames vary by distribution and packaging: Debian/Ubuntu and RHEL/CentOS often disagree on paths, and many modern services log to the systemd journal instead of (or in addition to) a flat file. The table at the top of each application section above lists the stock defaults so you can find the right file quickly during an incident.

Quick distro path differences

System log: /var/log/syslog (Debian) vs /var/log/messages (RHEL)
Auth/SSH: /var/log/auth.log (Debian) vs /var/log/secure (RHEL)
Apache: /var/log/apache2/ vs /var/log/httpd/
MySQL: /var/log/mysql/error.log vs /var/log/mysqld.log

Reading Severity

Each pattern carries a severity rating to help you decide what to alert on first. The ratings reflect operational impact, not the log line’s own level field:

Critical — the service is failing or about to: OOM kills, Redis MISCONF, “no server available”, crash loops.
High — degraded or error-prone: 5xx spikes, upstream timeouts, deadlocks, FATAL auth failures.
Warning — worth watching: slow queries, deferred mail, aborted connections, 4xx scanning.
Info — useful as a heartbeat or audit signal: successful logins, cron job execution.

From grep to live alerting

Grepping logs by hand finds yesterday’s problem. To catch issues as they happen, each pattern here generates a ready-to-paste config block for the Alert24 server agent. The agent tails the file by offset, counts matches per interval, and reports them on its heartbeat so you can threshold on error rate or match count. The config uses the file log-search schema:

{ "name": "mysql_too_many_conns", "source": "file",
  "path": "/var/log/mysql/error.log",
  "pattern": "Too many connections", "pattern_type": "regex" }

Alert24 includes 3 server agents on the free plan; paid plans add 5 agents per subscription unit, and log-search monitoring is a paid feature.

Frequently Asked Questions

Common questions about the Log Pattern Library

nginx writes to /var/log/nginx/access.log and /var/log/nginx/error.log. Apache uses /var/log/apache2/ on Debian/Ubuntu and /var/log/httpd/ on RHEL/CentOS. MySQL/MariaDB log to /var/log/mysql/error.log (Debian) or /var/log/mysqld.log (RHEL). PostgreSQL writes to /var/log/postgresql/ on Debian or /var/lib/pgsql/data/log/ on RHEL. This tool lists the exact default paths for each application, including where Debian and RHEL differ.

High-signal patterns include nginx/Apache 5xx responses and upstream timeouts, MySQL "Too many connections" and deadlocks, PostgreSQL FATAL and "deadlock detected" lines, sshd "Failed password" attempts, Redis MISCONF persistence errors, the kernel OOM killer ("Out of memory: Killed process"), and systemd "Start request repeated too quickly" crash loops. Each pattern in this library includes a severity rating and an example matching line.

On Debian/Ubuntu the MySQL/MariaDB error log defaults to /var/log/mysql/error.log; on RHEL/CentOS it is usually /var/log/mysqld.log. You can confirm the active path with the SQL query SHOW VARIABLES LIKE 'log_error';. The slow query log is separate (/var/log/mysql/mysql-slow.log) and only records queries above long_query_time.

PostgreSQL logs the literal phrase "deadlock detected" at ERROR level when it aborts a transaction to break a deadlock. Grep the server log (under /var/log/postgresql/ or the data directory log/ folder) for "deadlock detected". Recurring deadlocks usually point to inconsistent lock ordering in application transactions.

The Linux kernel logs "Out of memory: Killed process ()" to /var/log/syslog (Debian) or /var/log/messages (RHEL), and "invoked oom-killer" just before it. You can also run dmesg | grep -i oom. These lines mean the server ran out of RAM and the kernel terminated a process to recover.

Yes. Every pattern is a standard regular expression that has been validated to match the example log line shown next to it. They are written to be portable across grep -E, common log shippers, and the Alert24 agent. You should still test against your own log format, since custom log formats (for example a non-default nginx log_format) can change field positions.

Each pattern includes a ready-to-paste Alert24 server-agent config block in the file log-search format: a JSON object with name, source "file", path, pattern, and pattern_type "regex". Add the object to the log_searches array in your agent config and the agent reports match counts on every heartbeat, which you can alert on. Alert24 includes 3 server agents on the free plan; paid plans add 5 agents per unit, and log-search monitoring is a paid feature.

Frequently, yes. Common differences: Apache (/var/log/apache2 vs /var/log/httpd), MySQL (/var/log/mysql/error.log vs /var/log/mysqld.log), the system log (/var/log/syslog vs /var/log/messages), and the auth log (/var/log/auth.log vs /var/log/secure). Each application entry in this tool lists both where they differ.

Explore More Tools

Continue with these related tools

Security

🔓

Free Breach Check Tool

Check if an email address or password has appeared in known data breaches. See which breaches, what data was exposed, and when.

Try it now

Security

🔐

Password Strength Checker

Check how strong your password is with entropy analysis, crack time estimates, and breach database checks via Have I Been Pwned. 100% client-side.

Try it now

Security

🔑

Password Generator

Generate secure random passwords with customizable options

Try it now

Related External Resources

Additional tools from our partner sites

Linux Filesystem Hierarchy Standard — /var/log

The FHS specification defining where log files belong on Linux systems

Linux Foundation

systemd journalctl manual

How to query the systemd journal for unit logs and priorities

freedesktop.org

nginx log_format / error_log directives

Official reference for nginx access and error log configuration

nginx.org

ℹ️ Disclaimer

This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.