A curated, browsable library of common application log file locations and the error patterns sysadmins monitor for — nginx, Apache, MySQL, PostgreSQL, Redis, MongoDB, sshd, Docker, systemd, PHP-FPM, Node.js, HAProxy, Postfix, fail2ban and cron. Each pattern includes a validated regex, an example matching line, and a ready-to-paste Alert24 agent config.
61 curated patterns across 16applications. Every regex is validated to match the example line shown. Generated configs use Alert24’s file log-search schema.
Access & error logs for the nginx web server / reverse proxy.
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| Access log | /var/log/nginx/access.log | (same) |
| Error log | /var/log/nginx/error.log | (same) |
192.0.2.10 - - [01/Jun/2026:10:15:42 +0000] "GET /api/orders HTTP/1.1" 502 166 "-" "curl/8.4.0"2026/06/01 10:15:42 [error] 2913#2913: *5 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 192.0.2.10, server: example.com, request: "GET /api/orders HTTP/1.1", upstream: "http://127.0.0.1:8080/api/orders", host: "example.com"Upstream is down — connect() failed / connection refused.
connect\(\) failed \(111: Connection refused\)2026/06/01 10:17:03 [error] 2913#2913: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 192.0.2.10, server: example.com, upstream: "http://127.0.0.1:8080/"{
"name": "nginx_conn_refused",
"source": "file",
"path": "/var/log/nginx/error.log",
"pattern": "connect\\(\\) failed \\(111: Connection refused\\)",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Any 5xx response status — backend failures, gateway errors, overload.
" 5\d{2} 192.0.2.10 - - [01/Jun/2026:10:15:42 +0000] "GET /api/orders HTTP/1.1" 502 166 "-" "curl/8.4.0"{
"name": "nginx_5xx",
"source": "file",
"path": "/var/log/nginx/access.log",
"pattern": "\" 5\\d{2} ",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Backend/upstream did not respond in time — slow or dead app server.
upstream timed out2026/06/01 10:15:42 [error] 2913#2913: *5 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 192.0.2.10, server: example.com{
"name": "nginx_upstream_timeout",
"source": "file",
"path": "/var/log/nginx/error.log",
"pattern": "upstream timed out",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
nginx is out of worker connections — raise worker_connections.
worker_connections are not enough2026/06/01 10:18:20 [alert] 2913#2913: 1024 worker_connections are not enough while connecting to upstream{
"name": "nginx_worker_limit",
"source": "file",
"path": "/var/log/nginx/error.log",
"pattern": "worker_connections are not enough",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
4xx responses — broken links, auth failures, probing/scanning.
" 4\d{2} 198.51.100.7 - - [01/Jun/2026:10:16:01 +0000] "GET /wp-login.php HTTP/1.1" 404 153 "-" "Mozilla/5.0"{
"name": "nginx_4xx",
"source": "file",
"path": "/var/log/nginx/access.log",
"pattern": "\" 4\\d{2} ",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Access & error logs for the Apache HTTP Server.
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| Access log | /var/log/apache2/access.log | /var/log/httpd/access_log |
| Error log | /var/log/apache2/error.log | /var/log/httpd/error_log |
192.0.2.10 - - [01/Jun/2026:10:15:42 +0000] "GET /index.html HTTP/1.1" 500 4523 "-" "Mozilla/5.0"[Mon Jun 01 10:15:42.123456 2026] [proxy:error] [pid 2913:tid 140] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failedA worker process crashed (segmentation fault) — often a buggy module.
exit signal Segmentation fault[Mon Jun 01 10:20:11.000000 2026] [core:notice] [pid 1:tid 0] AH00052: child pid 4012 exit signal Segmentation fault (11){
"name": "apache_segfault",
"source": "file",
"path": "/var/log/apache2/error.log",
"pattern": "exit signal Segmentation fault",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Backend behind mod_proxy is unreachable.
AH00957: \w+: attempt to connect to .* failed[Mon Jun 01 10:15:42.123456 2026] [proxy:error] [pid 2913:tid 140] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failed{
"name": "apache_proxy_refused",
"source": "file",
"path": "/var/log/apache2/error.log",
"pattern": "AH00957: \\w+: attempt to connect to .* failed",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Any 5xx response — application or proxy failures.
" 5\d{2} 192.0.2.10 - - [01/Jun/2026:10:15:42 +0000] "GET /index.html HTTP/1.1" 500 4523 "-" "Mozilla/5.0"{
"name": "apache_5xx",
"source": "file",
"path": "/var/log/apache2/access.log",
"pattern": "\" 5\\d{2} ",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Apache hit its worker ceiling — requests are queuing, raise the limit.
reached MaxRequestWorkers setting[Mon Jun 01 10:21:00.000000 2026] [mpm_event:error] [pid 2913:tid 140] AH00484: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting{
"name": "apache_maxclients",
"source": "file",
"path": "/var/log/apache2/error.log",
"pattern": "reached MaxRequestWorkers setting",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Error log and slow query log for MySQL and MariaDB servers.
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| Error log | /var/log/mysql/error.log | /var/log/mysqld.log |
| Slow query log | /var/log/mysql/mysql-slow.log | /var/log/mysql-slow.log |
2026-06-01T10:15:42.123456Z 8 [ERROR] [MY-010914] [Server] Got an error reading communication packets2026-06-01T10:15:42.123456Z 0 [Warning] [MY-010055] Too many connections# Query_time: 12.840000 Lock_time: 0.000100 Rows_sent: 1 Rows_examined: 4821990Connection limit reached — clients are being rejected. Raise max_connections or fix a leak.
Too many connections2026-06-01T10:15:42.123456Z 0 [Warning] [MY-010055] Too many connections{
"name": "mysql_too_many_conns",
"source": "file",
"path": "/var/log/mysql/error.log",
"pattern": "Too many connections",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
InnoDB encountered an error or is recovering after an unclean shutdown.
\[ERROR\].*InnoDB2026-06-01T10:18:00.000000Z 0 [ERROR] [MY-012560] InnoDB: The log sequence number is in the future!{
"name": "mysql_crash_recovery",
"source": "file",
"path": "/var/log/mysql/error.log",
"pattern": "\\[ERROR\\].*InnoDB",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
InnoDB rolled back a transaction to break a deadlock.
Deadlock found when trying to get lock2026-06-01T10:16:10.000000Z 12 [Warning] [MY-013360] InnoDB: Deadlock found when trying to get lock; try restarting transaction{
"name": "mysql_deadlock",
"source": "file",
"path": "/var/log/mysql/error.log",
"pattern": "Deadlock found when trying to get lock",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Clients disconnecting mid-query — network issues, timeouts, or crashing app workers.
Aborted connection \d+ to db2026-06-01T10:17:01.000000Z 33 [Note] [MY-010914] [Server] Aborted connection 33 to db: 'app' user: 'app' host: '10.0.0.5' (Got timeout reading communication packets){
"name": "mysql_aborted_connection",
"source": "file",
"path": "/var/log/mysql/error.log",
"pattern": "Aborted connection \\d+ to db",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Slow-log entries whose Query_time exceeds 10 seconds.
# Query_time: (?:[1-9]\d|\d{2,})\.# Query_time: 12.840000 Lock_time: 0.000100 Rows_sent: 1 Rows_examined: 4821990{
"name": "mysql_slow_query",
"source": "file",
"path": "/var/log/mysql/mysql-slow.log",
"pattern": "# Query_time: (?:[1-9]\\d|\\d{2,})\\.",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Server log for PostgreSQL (stderr / logging collector).
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| Log directory | /var/log/postgresql/postgresql-*.log | /var/lib/pgsql/data/log/postgresql-*.log |
2026-06-01 10:15:42.123 UTC [2913] FATAL: password authentication failed for user "app"2026-06-01 10:16:10.000 UTC [3001] ERROR: deadlock detected2026-06-01 10:17:00.000 UTC [3050] LOG: duration: 8421.337 ms statement: SELECT * FROM ordersConnection slots exhausted — raise max_connections or add a pooler (PgBouncer).
too many clients already2026-06-01 10:16:30.000 UTC [3010] FATAL: sorry, too many clients already{
"name": "postgres_too_many_clients",
"source": "file",
"path": "/var/log/postgresql/postgresql-*.log",
"pattern": "too many clients already",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Connection/auth failures, too many clients, recovery aborts — anything PostgreSQL logs as FATAL.
\bFATAL:2026-06-01 10:15:42.123 UTC [2913] FATAL: password authentication failed for user "app"{
"name": "postgres_fatal",
"source": "file",
"path": "/var/log/postgresql/postgresql-*.log",
"pattern": "\\bFATAL:",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A transaction was aborted to resolve a deadlock.
deadlock detected2026-06-01 10:16:10.000 UTC [3001] ERROR: deadlock detected{
"name": "postgres_deadlock",
"source": "file",
"path": "/var/log/postgresql/postgresql-*.log",
"pattern": "deadlock detected",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Statements logged by log_min_duration_statement taking over 1 second.
duration: \d{4,}\.\d+ ms2026-06-01 10:17:00.000 UTC [3050] LOG: duration: 8421.337 ms statement: SELECT * FROM orders{
"name": "postgres_slow_statement",
"source": "file",
"path": "/var/log/postgresql/postgresql-*.log",
"pattern": "duration: \\d{4,}\\.\\d+ ms",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
WAL checkpoints firing too often — increase max_wal_size to reduce I/O.
checkpoints are occurring too frequently2026-06-01 10:18:00.000 UTC [2900] LOG: checkpoints are occurring too frequently (9 seconds apart){
"name": "postgres_checkpoint_frequent",
"source": "file",
"path": "/var/log/postgresql/postgresql-*.log",
"pattern": "checkpoints are occurring too frequently",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Server log for the Redis in-memory data store.
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| Server log | /var/log/redis/redis-server.log | /var/log/redis/redis.log |
2913:M 01 Jun 2026 10:15:42.123 # MISCONF Redis is configured to save RDB snapshots, but it is currently not able to persist on disk.2913:M 01 Jun 2026 10:16:10.000 * Background saving terminated with successRedis cannot persist to disk and is rejecting writes — full disk or broken RDB/AOF.
MISCONF2913:M 01 Jun 2026 10:15:42.123 # MISCONF Redis is configured to save RDB snapshots, but it is currently not able to persist on disk.{
"name": "redis_misconf",
"source": "file",
"path": "/var/log/redis/redis-server.log",
"pattern": "MISCONF",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Writes rejected because maxmemory was hit with no eviction policy.
OOM command not allowed2913:M 01 Jun 2026 10:18:00.000 # OOM command not allowed when used memory > 'maxmemory'.{
"name": "redis_oom",
"source": "file",
"path": "/var/log/redis/redis-server.log",
"pattern": "OOM command not allowed",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A background RDB save (fork) failed — out of memory or disk.
Background saving error2913:M 01 Jun 2026 10:17:00.000 # Background saving error{
"name": "redis_bgsave_failed",
"source": "file",
"path": "/var/log/redis/redis-server.log",
"pattern": "Background saving error",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
vm.overcommit_memory not set to 1 — background saves and replication may fail under load.
overcommit_memory is set to 02913:M 01 Jun 2026 10:14:00.000 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition.{
"name": "redis_overcommit",
"source": "file",
"path": "/var/log/redis/redis-server.log",
"pattern": "overcommit_memory is set to 0",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Structured JSON log (mongod) for MongoDB 4.4+.
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| Server log | /var/log/mongodb/mongod.log | (same) |
{"t":{"$date":"2026-06-01T10:15:42.123+00:00"},"s":"E","c":"NETWORK","id":22942,"ctx":"conn5","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141}}}{"t":{"$date":"2026-06-01T10:17:00.000+00:00"},"s":"I","c":"COMMAND","ctx":"conn9","msg":"Slow query","attr":{"durationMillis":4210}}Storage-engine errors — disk problems or corruption.
"c":"STORAGE".*"s":"E"{"t":{"$date":"2026-06-01T10:19:00.000+00:00"},"c":"STORAGE","s":"E","ctx":"conn1","msg":"WiredTiger error","attr":{"error":-31802}}{
"name": "mongodb_wt_error",
"source": "file",
"path": "/var/log/mongodb/mongod.log",
"pattern": "\"c\":\"STORAGE\".*\"s\":\"E\"",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Log entries with severity "E" (error) or "F" (fatal).
"s":"[EF]"{"t":{"$date":"2026-06-01T10:15:42.123+00:00"},"s":"E","c":"NETWORK","id":22942,"ctx":"conn5","msg":"Error receiving request from client. Ending connection from remote"}{
"name": "mongodb_severe",
"source": "file",
"path": "/var/log/mongodb/mongod.log",
"pattern": "\"s\":\"[EF]\"",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A new primary is being elected — replica set instability or failover.
"msg":"Starting an election{"t":{"$date":"2026-06-01T10:18:00.000+00:00"},"s":"I","c":"ELECTION","ctx":"conn1","msg":"Starting an election, since we have not seen a primary"}{
"name": "mongodb_election",
"source": "file",
"path": "/var/log/mongodb/mongod.log",
"pattern": "\"msg\":\"Starting an election",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Operations exceeding the slow-op threshold (default 100ms).
"msg":"Slow query"{"t":{"$date":"2026-06-01T10:17:00.000+00:00"},"s":"I","c":"COMMAND","ctx":"conn9","msg":"Slow query","attr":{"durationMillis":4210}}{
"name": "mongodb_slow_query",
"source": "file",
"path": "/var/log/mongodb/mongod.log",
"pattern": "\"msg\":\"Slow query\"",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
SSH daemon authentication events (PAM / auth facility).
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| Auth log | /var/log/auth.log | /var/log/secure |
Jun 1 10:15:42 web-01 sshd[2913]: Failed password for invalid user admin from 198.51.100.7 port 51022 ssh2Jun 1 10:16:10 web-01 sshd[2914]: Accepted publickey for deploy from 10.0.0.5 port 51044 ssh2: RSA SHA256:abc123Failed SSH password attempts — brute-force probing if frequent.
Failed password forJun 1 10:15:42 web-01 sshd[2913]: Failed password for invalid user admin from 198.51.100.7 port 51022 ssh2{
"name": "sshd_failed_password",
"source": "file",
"path": "/var/log/auth.log",
"pattern": "Failed password for",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Any authentication targeting the root account directly.
(?:Failed|Accepted) \S+ for root fromJun 1 10:17:00 web-01 sshd[2915]: Failed password for root from 198.51.100.7 port 51066 ssh2{
"name": "sshd_root_login",
"source": "file",
"path": "/var/log/auth.log",
"pattern": "(?:Failed|Accepted) \\S+ for root from",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Login attempts for users that do not exist — automated scanning.
Invalid user \S+ fromJun 1 10:15:41 web-01 sshd[2913]: Invalid user admin from 198.51.100.7 port 51022{
"name": "sshd_invalid_user",
"source": "file",
"path": "/var/log/auth.log",
"pattern": "Invalid user \\S+ from",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Successful SSH logins (publickey or password) — track who got in.
Accepted (?:publickey|password) forJun 1 10:16:10 web-01 sshd[2914]: Accepted publickey for deploy from 10.0.0.5 port 51044 ssh2: RSA SHA256:abc123{
"name": "sshd_accepted",
"source": "file",
"path": "/var/log/auth.log",
"pattern": "Accepted (?:publickey|password) for",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
System log — kernel messages, OOM killer, and service crashes.
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| System log | /var/log/syslog | /var/log/messages |
| Kernel log | /var/log/kern.log | /var/log/messages |
Jun 1 10:15:42 web-01 kernel: [12345.678901] Out of memory: Killed process 4012 (mysqld) total-vm:8400000kBJun 1 10:16:10 web-01 systemd[1]: nginx.service: Main process exited, code=killed, status=9/KILLThe kernel killed a process to reclaim memory — server is out of RAM.
Out of memory: Killed processJun 1 10:15:42 web-01 kernel: [12345.678901] Out of memory: Killed process 4012 (mysqld) total-vm:8400000kB{
"name": "oom_killer",
"source": "file",
"path": "/var/log/syslog",
"pattern": "Out of memory: Killed process",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Block-layer I/O errors — failing or saturated storage.
I/O error.*dev \w+Jun 1 10:18:00 web-01 kernel: [12400.000000] blk_update_request: I/O error, dev sda, sector 123456789{
"name": "kernel_io_error",
"source": "file",
"path": "/var/log/kern.log",
"pattern": "I/O error.*dev \\w+",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A process invoked the OOM killer — memory pressure event.
invoked oom-killerJun 1 10:15:41 web-01 kernel: [12345.600000] nginx invoked oom-killer: gfp_mask=0x100cca, order=0, oom_score_adj=0{
"name": "oom_invoked",
"source": "file",
"path": "/var/log/syslog",
"pattern": "invoked oom-killer",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A systemd-managed service was killed (e.g. SIGKILL) — crash or OOM.
Main process exited, code=killedJun 1 10:16:10 web-01 systemd[1]: nginx.service: Main process exited, code=killed, status=9/KILL{
"name": "systemd_killed",
"source": "file",
"path": "/var/log/syslog",
"pattern": "Main process exited, code=killed",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
The systemd journal (journalctl). On Alert24 prefer the journald source for live units.
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| Journal store (binary) | /var/log/journal/ (query with journalctl) | (same) |
| Persisted text (if ForwardToSyslog) | /var/log/syslog | /var/log/messages |
Jun 01 10:15:42 web-01 myapp[2913]: ERROR could not connect to database: connection refusedJun 01 10:16:10 web-01 systemd[1]: myapp.service: Failed with result 'exit-code'.A service is crash-looping and systemd stopped restarting it.
Start request repeated too quicklyJun 01 10:17:00 web-01 systemd[1]: myapp.service: Start request repeated too quickly.{
"name": "systemd_start_limit",
"source": "file",
"path": "/var/log/syslog",
"pattern": "Start request repeated too quickly",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A service entered the failed state.
Failed with resultJun 01 10:16:10 web-01 systemd[1]: myapp.service: Failed with result 'exit-code'.{
"name": "systemd_unit_failed",
"source": "file",
"path": "/var/log/syslog",
"pattern": "Failed with result",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Generic ERROR or FATAL emitted by a service to the journal.
\b(?:ERROR|FATAL)\bJun 01 10:15:42 web-01 myapp[2913]: ERROR could not connect to database: connection refused{
"name": "systemd_app_error",
"source": "file",
"path": "/var/log/syslog",
"pattern": "\\b(?:ERROR|FATAL)\\b",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
FastCGI Process Manager pool/error logs for PHP.
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| FPM error log | /var/log/php8.2-fpm.log | /var/log/php-fpm/error.log |
| Pool log (www) | /var/log/php-fpm/www-error.log | /var/log/php-fpm/www-error.log |
[01-Jun-2026 10:15:42] WARNING: [pool www] server reached pm.max_children setting (50), consider raising it[01-Jun-2026 10:16:10] WARNING: [pool www] child 4012 exited on signal 11 (SIGSEGV) after 120.5 seconds from startAn FPM worker crashed (SIGSEGV) — buggy extension or code.
exited on signal 11 \(SIGSEGV\)[01-Jun-2026 10:16:10] WARNING: [pool www] child 4012 exited on signal 11 (SIGSEGV) after 120.5 seconds from start{
"name": "phpfpm_child_segfault",
"source": "file",
"path": "/var/log/php8.2-fpm.log",
"pattern": "exited on signal 11 \\(SIGSEGV\\)",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
The FPM pool is saturated — requests are queuing. Raise pm.max_children.
reached pm\.max_children setting[01-Jun-2026 10:15:42] WARNING: [pool www] server reached pm.max_children setting (50), consider raising it{
"name": "phpfpm_max_children",
"source": "file",
"path": "/var/log/php8.2-fpm.log",
"pattern": "reached pm\\.max_children setting",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A request exceeded request_terminate_timeout and was killed.
execution timed out[01-Jun-2026 10:17:00] WARNING: [pool www] child 4015, script '/var/www/app/index.php' (request: "GET /index.php") execution timed out (35.123456 sec), terminating{
"name": "phpfpm_exec_timeout",
"source": "file",
"path": "/var/log/php8.2-fpm.log",
"pattern": "execution timed out",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Application stdout/stderr captured by PM2 (or systemd).
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| PM2 error log | ~/.pm2/logs/<app>-error.log | (same) |
| PM2 output log | ~/.pm2/logs/<app>-out.log | (same) |
| PM2 daemon log | ~/.pm2/pm2.log | (same) |
Error: connect ECONNREFUSED 127.0.0.1:5432FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memoryV8 ran out of heap and the process aborted — raise --max-old-space-size or fix a leak.
JavaScript heap out of memoryFATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory{
"name": "node_heap_oom",
"source": "file",
"path": "~/.pm2/logs/app-error.log",
"pattern": "JavaScript heap out of memory",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
An exception bubbled to the top of the event loop — process likely exited.
uncaughtException[2026-06-01T10:17:00.000Z] uncaughtException: TypeError: Cannot read properties of undefined{
"name": "node_uncaught",
"source": "file",
"path": "~/.pm2/logs/app-error.log",
"pattern": "uncaughtException",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A rejected promise with no handler — a latent crash in newer Node versions.
UnhandledPromiseRejection[2026-06-01T10:15:42.123Z] UnhandledPromiseRejectionWarning: Error: connect ECONNREFUSED 127.0.0.1:5432{
"name": "node_unhandled_rejection",
"source": "file",
"path": "~/.pm2/logs/app-error.log",
"pattern": "UnhandledPromiseRejection",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A downstream service (DB, cache, API) refused the connection.
ECONNREFUSEDError: connect ECONNREFUSED 127.0.0.1:5432{
"name": "node_econnrefused",
"source": "file",
"path": "~/.pm2/logs/app-error.log",
"pattern": "ECONNREFUSED",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Load-balancer logs (via syslog/journald), default HTTP log format.
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| HAProxy log | /var/log/haproxy.log | /var/log/haproxy.log |
Jun 1 10:15:42 lb-01 haproxy[2913]: 192.0.2.10:51022 [01/Jun/2026:10:15:42.123] fe_http be_app/web1 0/0/1/12/13 503 217 - - SC-- 5/5/0/0/0 0/0 "GET /api HTTP/1.1"Jun 1 10:16:10 lb-01 haproxy[2913]: Server be_app/web2 is DOWN, reason: Layer4 connection problem, info: "Connection refused"A health check marked a backend server down.
Server \S+ is DOWNJun 1 10:16:10 lb-01 haproxy[2913]: Server be_app/web2 is DOWN, reason: Layer4 connection problem, info: "Connection refused"{
"name": "haproxy_server_down",
"source": "file",
"path": "/var/log/haproxy.log",
"pattern": "Server \\S+ is DOWN",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A backend has no healthy servers left — full outage for that pool.
backend \S+ has no server availableJun 1 10:17:00 lb-01 haproxy[2913]: backend be_app has no server available!{
"name": "haproxy_no_server",
"source": "file",
"path": "/var/log/haproxy.log",
"pattern": "backend \\S+ has no server available",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
HAProxy returned a 5xx — backend errors or HAProxy-generated 503 (no server available).
(?:500|502|503|504) \d+ Jun 1 10:15:42 lb-01 haproxy[2913]: 192.0.2.10:51022 [01/Jun/2026:10:15:42.123] fe_http be_app/web1 0/0/1/12/13 503 217 - - SC-- 5/5/0/0/0 0/0 "GET /api HTTP/1.1"{
"name": "haproxy_5xx",
"source": "file",
"path": "/var/log/haproxy.log",
"pattern": " (?:500|502|503|504) \\d+ ",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Mail Transfer Agent log (maillog).
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| Mail log | /var/log/mail.log | /var/log/maillog |
| Mail errors | /var/log/mail.err | /var/log/maillog |
Jun 1 10:15:42 mail-01 postfix/smtp[2913]: A1B2C3: to=<user@example.org>, relay=mx.example.org[203.0.113.5]:25, delay=2.1, status=bounced (host mx.example.org said: 550 5.1.1 User unknown)Jun 1 10:16:10 mail-01 postfix/smtpd[2914]: warning: hostname unknown: address not listed for hostnamePostfix cannot write to the queue — disk full or permission issue.
queue file write errorJun 1 10:17:00 mail-01 postfix/cleanup[2915]: warning: A7B8C9: queue file write error{
"name": "postfix_queue_full",
"source": "file",
"path": "/var/log/mail.log",
"pattern": "queue file write error",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A message was bounced by the remote MTA — bad recipient or policy reject.
status=bouncedJun 1 10:15:42 mail-01 postfix/smtp[2913]: A1B2C3: to=<user@example.org>, relay=mx.example.org[203.0.113.5]:25, status=bounced (host mx.example.org said: 550 5.1.1 User unknown){
"name": "postfix_bounced",
"source": "file",
"path": "/var/log/mail.log",
"pattern": "status=bounced",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Delivery was deferred and will be retried — connectivity or greylisting.
status=deferredJun 1 10:16:00 mail-01 postfix/smtp[2913]: D4E5F6: to=<user@example.net>, relay=none, status=deferred (connect to example.net: Connection timed out){
"name": "postfix_deferred",
"source": "file",
"path": "/var/log/mail.log",
"pattern": "status=deferred",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A client tried to relay through your server and was refused — possible abuse.
Relay access deniedJun 1 10:18:00 mail-01 postfix/smtpd[2916]: NOQUEUE: reject: RCPT from unknown[198.51.100.7]: 554 5.7.1 <user@elsewhere.com>: Relay access denied{
"name": "postfix_relay_denied",
"source": "file",
"path": "/var/log/mail.log",
"pattern": "Relay access denied",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Intrusion-prevention log — bans/unbans across jails.
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| fail2ban log | /var/log/fail2ban.log | /var/log/fail2ban.log |
2026-06-01 10:15:42,123 fail2ban.actions [2913]: NOTICE [sshd] Ban 198.51.100.72026-06-01 10:25:42,000 fail2ban.actions [2913]: NOTICE [sshd] Unban 198.51.100.7fail2ban itself logged an error — a broken filter/action or unreadable log.
fail2ban\.\S+\s+\[\d+\]: ERROR2026-06-01 10:16:00,000 fail2ban.actions [2913]: ERROR Failed to execute ban jail 'sshd' action 'iptables-multiport'{
"name": "fail2ban_error",
"source": "file",
"path": "/var/log/fail2ban.log",
"pattern": "fail2ban\\.\\S+\\s+\\[\\d+\\]: ERROR",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
fail2ban banned an address — track ban volume as an attack indicator.
\[\S+\] Ban \d{1,3}(?:\.\d{1,3}){3}2026-06-01 10:15:42,123 fail2ban.actions [2913]: NOTICE [sshd] Ban 198.51.100.7{
"name": "fail2ban_ban",
"source": "file",
"path": "/var/log/fail2ban.log",
"pattern": "\\[\\S+\\] Ban \\d{1,3}(?:\\.\\d{1,3}){3}",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A failure matched a jail filter (precedes a ban once maxretry is hit).
\] Found \d{1,3}(?:\.\d{1,3}){3}2026-06-01 10:15:40,000 fail2ban.filter [2913]: INFO [sshd] Found 198.51.100.7 - 2026-06-01 10:15:40{
"name": "fail2ban_found",
"source": "file",
"path": "/var/log/fail2ban.log",
"pattern": "\\] Found \\d{1,3}(?:\\.\\d{1,3}){3}",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Scheduled-job execution log (cron daemon).
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| Cron log (dedicated) | /var/log/cron.log | /var/log/cron |
| Cron via syslog | /var/log/syslog | /var/log/messages |
Jun 1 10:15:01 web-01 CRON[2913]: (root) CMD (/usr/local/bin/backup.sh)Jun 1 10:15:01 web-01 CRON[2913]: (CRON) error (grandchild #2914 failed with exit status 1)A cron grandchild exited non-zero — a scheduled job failed.
failed with exit status [1-9]Jun 1 10:15:01 web-01 CRON[2913]: (CRON) error (grandchild #2914 failed with exit status 1){
"name": "cron_job_error",
"source": "file",
"path": "/var/log/syslog",
"pattern": "failed with exit status [1-9]",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Cron produced output but could not mail it — silent job failures may go unnoticed.
No MTA installed, discarding outputJun 1 10:15:01 web-01 CRON[2913]: (root) MAIL (mailed 120 bytes of output but got status 0x004b from MTA) No MTA installed, discarding output{
"name": "cron_no_mta",
"source": "file",
"path": "/var/log/syslog",
"pattern": "No MTA installed, discarding output",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Every command cron runs — useful as a heartbeat that a job is firing at all.
CRON\[\d+\]: \(\S+\) CMD Jun 1 10:15:01 web-01 CRON[2913]: (root) CMD (/usr/local/bin/backup.sh){
"name": "cron_exec",
"source": "file",
"path": "/var/log/syslog",
"pattern": "CRON\\[\\d+\\]: \\(\\S+\\) CMD ",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Per-container logs written by the default json-file logging driver.
| What | Debian / Ubuntu | RHEL / CentOS |
|---|---|---|
| Container log (json-file) | /var/lib/docker/containers/*/*-json.log | (same) |
| Docker daemon (journald) | journalctl -u docker.service | (same) |
{"log":"ERROR could not connect to database: connection refused\n","stream":"stderr","time":"2026-06-01T10:15:42.123456789Z"}{"log":"panic: runtime error: invalid memory address or nil pointer dereference\n","stream":"stderr","time":"2026-06-01T10:16:10.000000000Z"}A panic written to a container log — a crashing Go (or similar) service.
"log":"panic:{"log":"panic: runtime error: invalid memory address or nil pointer dereference\n","stream":"stderr","time":"2026-06-01T10:16:10.000000000Z"}{
"name": "docker_panic",
"source": "file",
"path": "/var/lib/docker/containers/*/*-json.log",
"pattern": "\"log\":\"panic:",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
A container was OOM-killed (daemon log) — it exceeded its memory limit.
oom-killJun 1 10:17:00 web-01 dockerd[900]: time="2026-06-01T10:17:00Z" level=info msg="oom-kill triggered for container abc123"{
"name": "docker_oom",
"source": "file",
"path": "/var/log/syslog",
"pattern": "oom-kill",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
ERROR/FATAL/Exception lines emitted by any container to its json-file log.
"log":"(?:.*\b(?:ERROR|FATAL|Exception)\b){"log":"ERROR could not connect to database: connection refused\n","stream":"stderr","time":"2026-06-01T10:15:42.123456789Z"}{
"name": "docker_stderr_error",
"source": "file",
"path": "/var/lib/docker/containers/*/*-json.log",
"pattern": "\"log\":\"(?:.*\\b(?:ERROR|FATAL|Exception)\\b)",
"pattern_type": "regex"
}Add this object to the log_searches array in your Alert24 server-agent config. Adjust path for your distro if needed.
Alert24’s lightweight agent watches your log files where they live and alerts on error spikes, pattern matches, log floods, and sudden silence — no log shipping, no SIEM bill, no per-GB ingest pricing.
Try Alert24 log monitoringAlert24 includes 3 server agents free. Paid plans add 5 agents per unit; log-search monitoring is a paid feature.
Get a free security assessment from our experts. We'll identify vulnerabilities and create a protection plan tailored to your business.
Most server software on Linux writes plain-text logs under /var/log, following the Filesystem Hierarchy Standard. The exact filenames vary by distribution and packaging: Debian/Ubuntu and RHEL/CentOS often disagree on paths, and many modern services log to the systemd journal instead of (or in addition to) a flat file. The table at the top of each application section above lists the stock defaults so you can find the right file quickly during an incident.
/var/log/syslog (Debian) vs /var/log/messages (RHEL)/var/log/auth.log (Debian) vs /var/log/secure (RHEL)/var/log/apache2/ vs /var/log/httpd//var/log/mysql/error.log vs /var/log/mysqld.logEach pattern carries a severity rating to help you decide what to alert on first. The ratings reflect operational impact, not the log line’s own level field:
Grepping logs by hand finds yesterday’s problem. To catch issues as they happen, each pattern here generates a ready-to-paste config block for the Alert24 server agent. The agent tails the file by offset, counts matches per interval, and reports them on its heartbeat so you can threshold on error rate or match count. The config uses the file log-search schema:
{ "name": "mysql_too_many_conns", "source": "file",
"path": "/var/log/mysql/error.log",
"pattern": "Too many connections", "pattern_type": "regex" }Alert24 includes 3 server agents on the free plan; paid plans add 5 agents per subscription unit, and log-search monitoring is a paid feature.
Common questions about the Log Pattern Library
nginx writes to /var/log/nginx/access.log and /var/log/nginx/error.log. Apache uses /var/log/apache2/ on Debian/Ubuntu and /var/log/httpd/ on RHEL/CentOS. MySQL/MariaDB log to /var/log/mysql/error.log (Debian) or /var/log/mysqld.log (RHEL). PostgreSQL writes to /var/log/postgresql/ on Debian or /var/lib/pgsql/data/log/ on RHEL. This tool lists the exact default paths for each application, including where Debian and RHEL differ.
High-signal patterns include nginx/Apache 5xx responses and upstream timeouts, MySQL "Too many connections" and deadlocks, PostgreSQL FATAL and "deadlock detected" lines, sshd "Failed password" attempts, Redis MISCONF persistence errors, the kernel OOM killer ("Out of memory: Killed process"), and systemd "Start request repeated too quickly" crash loops. Each pattern in this library includes a severity rating and an example matching line.
On Debian/Ubuntu the MySQL/MariaDB error log defaults to /var/log/mysql/error.log; on RHEL/CentOS it is usually /var/log/mysqld.log. You can confirm the active path with the SQL query SHOW VARIABLES LIKE 'log_error';. The slow query log is separate (/var/log/mysql/mysql-slow.log) and only records queries above long_query_time.
PostgreSQL logs the literal phrase "deadlock detected" at ERROR level when it aborts a transaction to break a deadlock. Grep the server log (under /var/log/postgresql/ or the data directory log/ folder) for "deadlock detected". Recurring deadlocks usually point to inconsistent lock ordering in application transactions.
The Linux kernel logs "Out of memory: Killed process
Yes. Every pattern is a standard regular expression that has been validated to match the example log line shown next to it. They are written to be portable across grep -E, common log shippers, and the Alert24 agent. You should still test against your own log format, since custom log formats (for example a non-default nginx log_format) can change field positions.
Each pattern includes a ready-to-paste Alert24 server-agent config block in the file log-search format: a JSON object with name, source "file", path, pattern, and pattern_type "regex". Add the object to the log_searches array in your agent config and the agent reports match counts on every heartbeat, which you can alert on. Alert24 includes 3 server agents on the free plan; paid plans add 5 agents per unit, and log-search monitoring is a paid feature.
Frequently, yes. Common differences: Apache (/var/log/apache2 vs /var/log/httpd), MySQL (/var/log/mysql/error.log vs /var/log/mysqld.log), the system log (/var/log/syslog vs /var/log/messages), and the auth log (/var/log/auth.log vs /var/log/secure). Each application entry in this tool lists both where they differ.
Continue with these related tools
Check if an email address or password has appeared in known data breaches. See which breaches, what data was exposed, and when.
Check how strong your password is with entropy analysis, crack time estimates, and breach database checks via Have I Been Pwned. 100% client-side.
Generate secure random passwords with customizable options
The FHS specification defining where log files belong on Linux systems
Linux FoundationHow to query the systemd journal for unit logs and priorities
freedesktop.orgOfficial reference for nginx access and error log configuration
nginx.orgThis tool is provided for informational and educational purposes only. All processing happens entirely in your browser — no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results.