System Logs (Revision Needed from LinkedIn Series PTC)
System logs are files that contain messages about the system, including kernel, services, security, boot, application, and hardware events. These logs help monitor and troubleshoot the system.
Common Log Files and Locations
Path | Description |
---|---|
/var/log/syslog | General messages (Debian/Ubuntu) |
/var/log/messages | General messages (RHEL/CentOS) |
/var/log/auth.log | Authentication-related logs |
/var/log/kern.log | Kernel logs |
/var/log/dmesg | Boot-time kernel ring buffer |
/var/log/boot.log | System boot log |
/var/log/journal/ | Binary logs used by journalctl (systemd) |
Tools to Read Logs
journalctl
– For systemd
-based systems
System logs stored in binary format are viewed using this.
Basic Usage
journalctl # View all logs
journalctl -b # Logs since last boot
journalctl -f # Follow live logs (like `tail -f`)
journalctl -u nginx # Logs of a specific unit/service
journalctl --since "1 hour ago"
Useful Flags
Flag | Description |
---|---|
-b | Since boot |
-u | Filter by service/unit |
-f | Follow log (live view) |
--since /--until | Filter by time |
-p | Priority levels (0=emerg, 7=debug) |
-k | Kernel logs only |
Example
journalctl -u sshd --since "2025-07-20" --until "2025-07-22"
cat
, tac
, less
, more
– Reading plain text log files
a. cat
– Display entire file
cat /var/log/messages
b. tac
– Reverse display
tac /var/log/boot.log
c. less
or more
– Paged reading
less /var/log/syslog
more /var/log/auth.log
Shortcut in less | Action |
---|---|
q | Quit |
/keyword | Search forward |
n / N | Next / Previous match |
SPACE | Next page |
tail
and head
– For top/bottom of logs
a. View last N lines
tail -n 50 /var/log/syslog
b. Live monitor
tail -f /var/log/syslog
c. View first N lines
head -n 20 /var/log/messages
grep
– Filter specific messages
grep "error" /var/log/syslog
journalctl | grep "failed"
wc
– Word/line/byte count
wc -l /var/log/syslog # Number of lines
wc -c /var/log/auth.log # Total bytes
Combined Example
# Watch live sshd logs
journalctl -u sshd -f
# Check errors in system log
grep "error" /var/log/syslog
# View last 100 lines of syslog with line numbers
tail -n 100 /var/log/syslog | nl
# Count number of failed login attempts
grep "Failed password" /var/log/auth.log | wc -l
Summary Table
Task | Command | |
---|---|---|
View all logs | journalctl | |
View service logs | journalctl -u service | |
Live logs | journalctl -f / tail -f | |
Filter by date | journalctl --since "YYYY-MM-DD" | |
Kernel logs | journalctl -k / dmesg | |
View plain-text logs | cat , less , more , tail , head | |
Search logs | grep , `journalctl | grep` |
Count log entries | wc -l , wc -c |
Last updated on