System Logs (Revision Needed from LinkedIn Series PTC)
System logs are files that contain messages about the system, including kernel, services, security, boot, application, and hardware events. These logs help monitor and troubleshoot the system.
Common Log Files and Locations
| Path | Description |
|---|---|
/var/log/syslog | General messages (Debian/Ubuntu) |
/var/log/messages | General messages (RHEL/CentOS) |
/var/log/auth.log | Authentication-related logs |
/var/log/kern.log | Kernel logs |
/var/log/dmesg | Boot-time kernel ring buffer |
/var/log/boot.log | System boot log |
/var/log/journal/ | Binary logs used by journalctl (systemd) |
Tools to Read Logs
journalctl – For systemd-based systems
System logs stored in binary format are viewed using this.
Basic Usage
journalctl # View all logs
journalctl -b # Logs since last boot
journalctl -f # Follow live logs (like `tail -f`)
journalctl -u nginx # Logs of a specific unit/service
journalctl --since "1 hour ago"Useful Flags
| Flag | Description |
|---|---|
-b | Since boot |
-u | Filter by service/unit |
-f | Follow log (live view) |
--since/--until | Filter by time |
-p | Priority levels (0=emerg, 7=debug) |
-k | Kernel logs only |
Example
journalctl -u sshd --since "2025-07-20" --until "2025-07-22"cat, tac, less, more – Reading plain text log files
a. cat – Display entire file
cat /var/log/messagesb. tac – Reverse display
tac /var/log/boot.logc. less or more – Paged reading
less /var/log/syslog
more /var/log/auth.logShortcut in less | Action |
|---|---|
q | Quit |
/keyword | Search forward |
n / N | Next / Previous match |
SPACE | Next page |
tail and head – For top/bottom of logs
a. View last N lines
tail -n 50 /var/log/syslogb. Live monitor
tail -f /var/log/syslogc. View first N lines
head -n 20 /var/log/messagesgrep – Filter specific messages
grep "error" /var/log/syslog
journalctl | grep "failed"wc – Word/line/byte count
wc -l /var/log/syslog # Number of lines
wc -c /var/log/auth.log # Total bytesCombined Example
# Watch live sshd logs
journalctl -u sshd -f
# Check errors in system log
grep "error" /var/log/syslog
# View last 100 lines of syslog with line numbers
tail -n 100 /var/log/syslog | nl
# Count number of failed login attempts
grep "Failed password" /var/log/auth.log | wc -lSummary Table
| Task | Command | |
|---|---|---|
| View all logs | journalctl | |
| View service logs | journalctl -u service | |
| Live logs | journalctl -f / tail -f | |
| Filter by date | journalctl --since "YYYY-MM-DD" | |
| Kernel logs | journalctl -k / dmesg | |
| View plain-text logs | cat, less, more, tail, head | |
| Search logs | grep, `journalctl | grep` |
| Count log entries | wc -l, wc -c |
Last updated on