Skip to Content
This project is a work in progress. If you have any questions or suggestions, feel free to contact me.

System Logs (Revision Needed from LinkedIn Series PTC)

System logs are files that contain messages about the system, including kernel, services, security, boot, application, and hardware events. These logs help monitor and troubleshoot the system.

Common Log Files and Locations

PathDescription
/var/log/syslogGeneral messages (Debian/Ubuntu)
/var/log/messagesGeneral messages (RHEL/CentOS)
/var/log/auth.logAuthentication-related logs
/var/log/kern.logKernel logs
/var/log/dmesgBoot-time kernel ring buffer
/var/log/boot.logSystem boot log
/var/log/journal/Binary logs used by journalctl (systemd)

Tools to Read Logs

journalctl – For systemd-based systems

System logs stored in binary format are viewed using this.

Basic Usage

journalctl # View all logs journalctl -b # Logs since last boot journalctl -f # Follow live logs (like `tail -f`) journalctl -u nginx # Logs of a specific unit/service journalctl --since "1 hour ago"

Useful Flags

FlagDescription
-bSince boot
-uFilter by service/unit
-fFollow log (live view)
--since/--untilFilter by time
-pPriority levels (0=emerg, 7=debug)
-kKernel logs only

Example

journalctl -u sshd --since "2025-07-20" --until "2025-07-22"

cat, tac, less, more – Reading plain text log files

a. cat – Display entire file

cat /var/log/messages

b. tac – Reverse display

tac /var/log/boot.log

c. less or more – Paged reading

less /var/log/syslog more /var/log/auth.log
Shortcut in lessAction
qQuit
/keywordSearch forward
n / NNext / Previous match
SPACENext page

tail and head – For top/bottom of logs

a. View last N lines

tail -n 50 /var/log/syslog

b. Live monitor

tail -f /var/log/syslog

c. View first N lines

head -n 20 /var/log/messages

grep – Filter specific messages

grep "error" /var/log/syslog journalctl | grep "failed"

wc – Word/line/byte count

wc -l /var/log/syslog # Number of lines wc -c /var/log/auth.log # Total bytes

Combined Example

# Watch live sshd logs journalctl -u sshd -f # Check errors in system log grep "error" /var/log/syslog # View last 100 lines of syslog with line numbers tail -n 100 /var/log/syslog | nl # Count number of failed login attempts grep "Failed password" /var/log/auth.log | wc -l

Summary Table

TaskCommand
View all logsjournalctl
View service logsjournalctl -u service
Live logsjournalctl -f / tail -f
Filter by datejournalctl --since "YYYY-MM-DD"
Kernel logsjournalctl -k / dmesg
View plain-text logscat, less, more, tail, head
Search logsgrep, `journalctlgrep`
Count log entrieswc -l, wc -c
Last updated on