When something breaks in Linux, experienced engineers donβt guess.
They check the logs.
π Logs are the βblack box recorderβ of a Linux system.
They tell you:
what happened
when it happened
why it failed
If you can read logs properly, you can debug almost anything.
What Are Logs?
Logs are records of system and application activity.
Linux constantly records:
System events
Errors
User activity
Application behavior
Linux constantly records:
Where are Logs Stored?
Most Linux logs are stored inside:
/var/log
Check logs directory:
cd /var/log
ls
This is the first place DevOps engineers check during system issues.
Important Log Files
| Log File | Purpose | Command to View |
|---|---|---|
/var/log/syslog |
General system messages | tail /var/log/syslog |
/var/log/auth.log |
Login attempts & authentication | tail /var/log/auth.log |
/var/log/kern.log |
Kernel & hardware messages |
dmesg or tail /var/log/kern.log
|
/var/log/nginx/error.log |
Web server errors (Nginx) | tail /var/log/nginx/error.log |
/var/log/dmesg |
Boot and hardware logs | dmesg |
/var/log/apache2/ -> Apache logs
These logs help you identify system, security, and application-level issues.
View Logs
Using cat
cat /var/log/syslog
Good for small files.
Using less
less /var/log/syslog
Useful keys::
-
Spaceβ Next page -
bβ Previous page -
qβ Quit
π Best for large log files.
Using tail
tail /var/log/syslog
Show last 10 lines.
Real-Time Monitoring (tail -f)
tail -f /var/log/syslog
π -f = follow live updates
This is one of the most-used debugging commands in production servers.
Stop with:
Ctrl + C
Searching Logs with grep
grep error /var/log/syslog
Case-insensitive:
grep -i failed /var/log/auth.log
Show latest matching errors:
grep error /var/log/syslog | tail -n 50
π Essential for filtering huge logs quickly.
Boot & Hardware Logs (dmesg)
dmesg
Shows:
- Boot messages
- Hardware detection
- Kernel events
Useful for startup and hardware troubleshooting.
Modern Log System: journalctl
Modern Linux systems use systemd logs.
journalctl
Recent errors:
journalctl -xe
Specific service logs:
journalctl -u nginx
Live monitoring:
journalctl -f
Last 1 hour:
journalctl --since "1 hour ago"
π journalctl is the modern replacement for many traditional log files.
What is Log Rotation?
Logs grow continuously.
Without cleanup:
- disks fill up
- systems slow down
Linux automatically rotates logs using:
logrotate
π Old logs are compressed or removed automatically.
Real-Life Troubleshooting Example
Problem: Website is not working.
systemctl status nginx
tail -f /var/log/nginx/error.log
journalctl -u nginx -xe
π In real systems, logs usually reveal the exact root cause.
β οΈ Common Beginner Mistakes
- guessing instead of checking logs
- using cat on huge files
- deleting logs blindly
- ignoring tail -f
- assuming service is healthy because it says βactiveβ
Simple Mental Model
Think of logs like CCTV recordings:
system logs β building activity
auth logs β door access records
kernel logs β hardware monitoring
app logs β employee activity
π Debugging Linux = investigating evidence
Summary
what logs are
where logs are stored (/var/log)
important log files
cat, less, tail
live monitoring with tail -f
searching logs with grep
boot logs using dmesg
modern logging with journalctl
log rotation basics
Why Logs Matter
Logs are the foundation of:
Linux troubleshooting
DevOps debugging
production incident response
server monitoring
security analysis
π The better you read logs, the faster you solve problems.
End of Linux Beginner Series
You now learned:
Linux basics
filesystem structure
permissions
users & groups
processes
disk usage
networking
logs & troubleshooting
Thatβs already more Linux knowledge than most beginners have.
Final Next Step:
Linux Troubleshooting Flow for Beginners
Final Question
Which topic in this Linux series helped you the most?
And what Linux topic should the next series cover?
Top comments (0)