Linux system logs are like the diary of your computer. They record everything that happens on your system, from booting up to shutting down, and even errors or warnings in between. If you’re new to Linux, learning how to read and interpret these logs can help you troubleshoot issues, monitor system activities, and become a more confident Linux user.
In this guide, we’ll cover:
- What are Linux System Logs?
- Types of Linux Logs
- Where are Logs Stored?
- How to View Logs in Systemd and Non-Systemd Systems
- Tips for Analyzing Logs
- Analyzing Logs
At the end, we will provide some frequently asked questions with answers and a cheat-sheet for quick reference.
Let’s get started!
Table of Contents
1. What are Linux System Logs?
Linux system logs are files that record events and activities happening on your system. These logs are created by the operating system, applications, and services to help administrators (or curious users like you!) understand what’s going on under the hood.
Think of logs as a black box for your computer. If something goes wrong, you can check the logs to find out what happened and why.
2. Types of Linux Logs
Linux generates many types of logs, each serving a specific purpose. Here are the most common ones:
2.1. System Logs
These logs track general system activity and events. They record messages from the kernel, system services, and applications.
- On Debian/Ubuntu:
/var/log/syslog. - On Red Hat/CentOS:
/var/log/messages.
2.2. Authentication Logs
Logs related to user authentication, such as login attempts, sudo usage, and SSH access.
- Debian/Ubuntu:
/var/log/auth.log. - Red Hat/CentOS:
/var/log/secure.
2.3. Kernel Logs
Helps in debugging hardware issues and kernel-related errors.
/var/log/kern.log: Logs specific to the Linux kernel, such as hardware issues or driver errors./var/log/dmesg: Kernel ring buffer messages, useful for troubleshooting hardware and boot issues.
2.4. Boot Logs
/var/log/boot.log: Records events related to the system boot process.
2.5. Application Logs
Individual applications store logs in /var/log/ or custom locations.
Example:
/var/log/apache2/or/var/log/nginx/: Logs for web servers like Apache or Nginx./var/log/mysql/: Logs for MySQL databases.
2.6. Cron Logs
/var/log/cron: Logs for scheduled tasks (cron jobs).
2.7. Package Manager Logs
Tracks software installations and updates.
- Debian/Ubuntu:
/var/log/dpkg.log - RHEL/Fedora:
/var/log/dnf.log
3. Where are Logs Stored in Linux?
All Linux logs are stored in the /var/log/ directory. This is the central location for log files, and each log file has a specific purpose, as we discussed above.
To view the contents of this directory, open your terminal and run:
ls /var/log/
Sample Output from my Debian 12 System:
alternatives.log debug.4.gz messages.3.gz alternatives.log.1 dpkg.log messages.4.gz alternatives.log.10.gz dpkg.log.1 openvpn alternatives.log.11.gz dpkg.log.10.gz private alternatives.log.12.gz dpkg.log.11.gz auth.log.3.gz auth.log.4.gz installer runit boot.log journal samba boot.log.1 kern.log speech-dispatcher boot.log.2 kern.log.1 syslog boot.log.3 kern.log.2.gz syslog.1 boot.log.4 kern.log.3.gz syslog.2.gz boot.log.5 kern.log.4.gz syslog.3.gz boot.log.6 lastlog syslog.4.gz boot.log.7 lightdm system_uptime.log btmp lxc timeshift btmp.1 mail.info tor ceph mail.info.1 unattended-upgrades corosync mail.info.2.gz user.log cron.log mail.info.3.gz user.log.1 cron.log.1 mail.info.4.gz user.log.2.gz cron.log.2.gz mail.log user.log.3.gz cron.log.3.gz mail.log.1 user.log.4.gz cron.log.4.gz mail.log.2.gz vbox-setup.log cups mail.log.3.gz vbox-setup.log.1 daemon.log mail.log.4.gz vbox-setup.log.2 daemon.log.1 mail.warn vbox-setup.log.3 daemon.log.2.gz mail.warn.1 vbox-setup.log.4 daemon.log.3.gz mail.warn.2.gz vzdump daemon.log.4.gz mail.warn.3.gz wtmp debug mail.warn.4.gz wtmp.1 debug.1 messages Xorg.0.log debug.2.gz messages.1 Xorg.0.log.old debug.3.gz messages.2.gz Xorg.1.log
4. How to View Logs in Systemd and Non-Systemd Linux Systems
Linux systems use different tools to manage logs, depending on whether they use systemd (modern systems) or syslog (older systems).
4.1. Viewing Logs in Systemd Systems
Most modern Linux distributions (e.g., Ubuntu, Fedora, CentOS) use systemd, which comes with a powerful tool called journalctl.
Basic Commands
Note: You may need to run these commands as
rootor withsudopermission.
View all logs:
journalctl
Sample Output:
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal' can see all messages.
Pass -q to turn off this notice.
Aug 24 11:32:12 debian cinnamon-killer-daemon[2023]: Bound Cinnamon restart to <Control><Alt>Escape.
Aug 24 11:32:12 debian dbus-daemon[1720]: [session uid=1000 pid=1720] Activating via systemd: service name='org.bluez.obex' unit='obex.service>
Aug 24 11:32:12 debian systemd[1700]: Starting Bluetooth OBEX service...
Aug 24 11:32:12 debian obexd[2107]: OBEX daemon 5.55
Aug 24 11:32:12 debian dbus-daemon[1720]: [session uid=1000 pid=1720] Successfully activated service 'org.bluez.obex'
Aug 24 11:32:12 debian systemd[1700]: Started Bluetooth OBEX service.
Aug 24 11:32:13 debian dbus-daemon[1720]: [session uid=1000 pid=1720] Activating via systemd: service name='org.freedesktop.portal.Desktop' un>
Aug 24 11:32:13 debian systemd[1700]: Starting Portal service...
[...]View logs in real-time:
journalctl -f
Press CTRL+C to quit.
Filter logs by priority (e.g., errors only):
journalctl -p err
View logs for a specific service (e.g., SSH):
journalctl -u ssh
View logs from the last boot:
journalctl -b
Filter logs by time:
journalctl --since "1 hour ago"
Key Options:
-xe: Show detailed logs with explanations.--since "yyyy-mm-dd": View logs from a specific date.--until "yyyy-mm-dd": View logs up to a specific date.
4.2. Reading Logs in Non-Systemd Systems
Older Linux systems (or minimal installations) may use syslog for logging. In these systems, logs are stored as plain text files in /var/log/.
Basic Commands
Note: You may need to run these commands as
rootor withsudopermission.
View the entire log file:
cat /var/log/syslog
View the last few lines (E.g. 20) of a log file:
tail -n 20 /var/log/auth.log
Follow a log file in real-time:
tail -f /var/log/syslog
Search for specific keywords (e.g., "error" or "Failed password"):
grep "error" /var/log/syslog
grep "Failed password" /var/log/auth.log
5. Clearing Logs
Logs can grow large over time, consuming disk space. By clearing old logs, you free up space while keeping recent logs for troubleshooting.
Clear systemd logs:
sudo journalctl --vacuum-time=7d
This command clears systemd logs that are older than 7 days.
To clear logs older than 30 days:
sudo journalctl --vacuum-time=30d
Clear traditional logs (non-systemd):
sudo truncate -s 0 /var/log/syslog
This command clears the contents of the /var/log/syslog file without deleting the file itself.
If your system is running out of disk space, clearing logs can help. Clearing logs can remove sensitive information, but be cautious—logs are often critical for troubleshooting.
It is recommended to use tools like logrotate to automate log rotation and deletion.
6. Tips for Analyzing Logs
Here are some tips to help you make sense of Linux logs:
Look for Timestamps:
Every log entry has a timestamp, which tells you when the event occurred. This is useful for tracking down issues.
Focus on Errors and Warnings:
Start by searching for keywords like "error", "warning", or "failed". These entries often point to problems that need attention.
Use Tools for Better Visualization:
less: View logs page by page.grep: Search for specific patterns.awk: Extract specific columns or fields from logs.
Automate Log Monitoring and Rotation:
- Use logrotate to manage log file rotation and compression. It will help you to avoid manual log clearing.
- Set up fail2ban to monitor logs for suspicious activity and block malicious IPs.
7. Frequently Asked Questions (FAQ)
A: systemd is a modern system and service manager that includes its own logging system (journalctl). syslog is an older logging system that stores logs as plain text files in /var/log/.
A: For systemd logs:sudo journalctl --vacuum-size=100M # Keep only the last 100MB of logs
For syslog logs:sudo truncate -s 0 /var/log/syslog # Clear the syslog file
A: Yes, but be careful. Deleting log files can free up disk space, but it also removes valuable information. Use tools like logrotate to manage logs instead.
8. Linux System Logs Cheat Sheet
8.1. Log File Locations
| Log File | Purpose |
|---|---|
/var/log/syslog | General system logs (Debian/Ubuntu). |
/var/log/messages | General system logs (Red Hat/CentOS). |
/var/log/auth.log | Authentication logs (Debian/Ubuntu). |
/var/log/secure | Authentication logs (Red Hat/CentOS). |
/var/log/kern.log | Kernel logs (hardware, drivers, etc.). |
/var/log/dmesg | Kernel ring buffer messages (boot and hardware issues). |
/var/log/boot.log | System boot logs. |
/var/log/cron | Logs for cron jobs (scheduled tasks). |
/var/log/apache2/ | Apache web server logs (Debian/Ubuntu). |
/var/log/nginx/ | Nginx web server logs. |
/var/log/mysql/ | MySQL database logs. |
/var/log/maillog | Mail server logs. |
8.2. View non-Systemd Logs
| Command | Description |
|---|---|
cat /var/log/syslog | Display the entire log file. |
less /var/log/syslog | View logs page by page. |
tail -n 20 /var/log/syslog | View the last 20 lines of a log file. |
tail -f /var/log/syslog | Follow a log file in real-time. |
grep "error" /var/log/syslog | Search for the keyword "error" in logs. |
dmesg | View kernel ring buffer messages. |
8.3. View Systemd Logs
| Command | Description |
|---|---|
journalctl | View all systemd logs. |
journalctl -xe | View detailed logs with explanations. |
journalctl -f | Follow logs in real-time. |
journalctl -p err | View logs with priority "error". |
journalctl -u ssh | View logs for the SSH service. |
journalctl --since "2023-10-01" | View logs since a specific date. |
journalctl --until "2023-10-01" | View logs up to a specific date. |
journalctl --vacuum-time=7d | Clear logs older than 7 days. |
8.4. Clear Logs
| Command | Description |
|---|---|
sudo journalctl --vacuum-time=7d | Clear systemd logs older than 7 days. |
sudo truncate -s 0 /var/log/syslog | Clear the contents of a log file (non-systemd). |
sudo rm /var/log/syslog | Delete a log file (use with caution). |
8.5. Common Log Analysis Tips
- Search for Errors: Use
grep "error" /var/log/syslog. - Filter by Date: Use
journalctl --since "yyyy-mm-dd". - Monitor in Real-Time: Use
tail -f /var/log/syslog. - Automate Alerts: Set up Rsyslog or Fail2ban for critical issues.
Conclusion
Linux system logs will contain important information about the system. By learning how to read and analyze the Linux log files, you can troubleshoot issues, monitor system performance, and gain a deeper understanding of how your Linux system works.
Whether you’re using a modern systemd-based distribution or an older syslog-based one, the tools and techniques covered in this guide will help you read and understand Linux logs with confidence.
2 comments
The logging daemon of systemd is journald, not journalctl. This is only to view logs.
yessir