Linux

System Logs

Something broke. The first place to look: logs. Linux logs everything, and knowing where to look is half the battle.

Log Locations

Traditional logs live in /var/log:

Terminal
$ls /var/log
auth.log dmesg kern.log nginx/ syslog apt/ mysql/

Key Log Files

LogContains
/var/log/syslogGeneral system messages
/var/log/auth.logAuthentication (login attempts)
/var/log/kern.logKernel messages
/var/log/dmesgBoot and hardware messages
/var/log/apt/Package manager history

Application Logs

Apps often have their own log directories:

  • /var/log/nginx/
  • /var/log/mysql/
  • /var/log/apache2/

Reading Logs

Terminal
$# Last 50 lines
$tail -50 /var/log/syslog
$
$# Follow in real-time
$tail -f /var/log/syslog
(updates as new entries appear)
$
$# Search for errors
$grep -i error /var/log/syslog | tail -20

tail -f is Gold

When debugging a live issue:

hljs bash
tail -f /var/log/nginx/error.log

Then trigger the error in another window. You'll see it appear instantly.

journalctl - systemd Logs

Modern systems use journald instead of (or alongside) traditional logs:

Terminal
$journalctl
(all logs, paginated)
$journalctl -f
(follow mode, like tail -f)
$journalctl -u nginx
(logs for nginx service)
$journalctl --since '1 hour ago'
(recent logs)

Useful journalctl Options

CommandShows
journalctl -u serviceLogs for specific service
journalctl -fFollow (real-time)
journalctl -bSince last boot
journalctl -p errErrors only
journalctl --since "1 hour ago"Time filter
journalctl -n 100Last 100 entries
Terminal
$journalctl -u ssh -n 20
(last 20 SSH-related entries)
$journalctl -p err --since today
(today's errors)

Common Troubleshooting

SSH Login Failures

Terminal
$grep 'Failed password' /var/log/auth.log | tail -10
Jan 14 10:30:45 server sshd[1234]: Failed password for user from 192.168.1.100

Service Crashes

Terminal
$journalctl -u nginx --since '10 minutes ago'
(recent nginx activity)

Kernel Issues

Terminal
$dmesg | tail -30
(recent kernel messages)
$dmesg | grep -i error
(kernel errors)

Boot Problems

Terminal
$journalctl -b -1
(logs from previous boot)

Log Rotation

Logs rotate automatically to prevent disk filling:

Terminal
$ls /var/log/syslog*
syslog syslog.1 syslog.2.gz syslog.3.gz

Older logs are compressed (.gz). Read with zcat or zgrep:

Terminal
$zgrep 'error' /var/log/syslog.2.gz
(search compressed log)
Knowledge Check

You suspect nginx crashed in the last hour. What's the best command?

Quick Reference

CommandShows
tail -f /var/log/fileFollow log in real-time
journalctl -u serviceService logs
journalctl -fFollow all logs
journalctl -p errError level only
journalctl --since "1 hour ago"Time-filtered logs
dmesgKernel messages
zgrep pattern file.gzSearch compressed logs

Key Takeaways

  • Traditional logs: /var/log/
  • Modern systems: use journalctl
  • tail -f for real-time monitoring
  • journalctl -u service for service-specific logs
  • Filter by time with --since
  • Old logs are compressed - use zgrep

Congratulations! You've completed Chapter 8: System Information.

You now know how to check disk, memory, CPU, and logs - essential for any system administrator.

Next chapter: Networking Basics - understanding network commands.