Linux Logs Explained Simply
When something breaks in Linux, experienced engineers don’t guess.
They check the logs.
👉 Logs are the “black box recorder” of a Linux system.
They tell you:
what happened when it happened why it failed
If you can read logs properly, you can debug almost anything.
What Are Logs?
Logs are records of system and application activity.
Linux constantly records:
System events Errors User activity Application behavior
Linux constantly records:
Where are Logs Stored?
Most Linux logs are stored inside:
/var/log
Check logs directory:
cd /var/log
ls
This is the first place DevOps engineers check during system issues.
Important Log Files
| Log File | Purpose | Command to View |
|---|---|---|
/var/log/syslog |
General system messages | tail /var/log/syslog |
/var/log/auth.log |
Login attempts & authentication | tail /var/log/auth.log |
/var/log/kern.log |
Kernel & hardware messages | dmesg or tail /var/log/kern.log |
/var/log/nginx/error.log |
Web server errors (Nginx) | tail /var/log/nginx/error.log |
/var/log/dmesg |
Boot and hardware logs | dmesg |
/var/log/apache2/ -> Apache logs
These logs help you identify system, security, and application-level issues.
View Logs
Using cat
cat /var/log/syslog
Good for small files.
Using less
less /var/log/syslog
Useful keys::
Space→ Next pageb→ Previous pageq→ Quit
👉 Best for large log files.
Using tail
tail /var/log/syslog
Show last 10 lines.
Real-Time Monitoring (tail -f)
tail -f /var/log/syslog
👉 -f = follow live updates
This is one of the most-used debugging commands in production servers.
Stop with:
Ctrl + C
Searching Logs with grep
grep error /var/log/syslog
Case-insensitive:
grep -i failed /var/log/auth.log
Show latest matching errors:
grep error /var/log/syslog | tail -n 50
👉 Essential for filtering huge logs quickly.
Boot & Hardware Logs (dmesg)
dmesg
Shows:
- Boot messages
- Hardware detection
- Kernel events
Useful for startup and hardware troubleshooting.
Modern Log System: journalctl
Modern Linux systems use systemd logs.
journalctl
Recent errors:
journalctl -xe
Specific service logs:
journalctl -u nginx
Live monitoring:
journalctl -f
Last 1 hour:
journalctl --since "1 hour ago"
👉 journalctl is the modern replacement for many traditional log files.
What is Log Rotation?
Logs grow continuously.
Without cleanup:
- disks fill up
- systems slow down
Linux automatically rotates logs using:
logrotate
👉 Old logs are compressed or removed automatically.
Real-Life Troubleshooting Example
Problem: Website is not working.
systemctl status nginx
tail -f /var/log/nginx/error.log
journalctl -u nginx -xe
👉 In real systems, logs usually reveal the exact root cause.
⚠️ Common Beginner Mistakes
- guessing instead of checking logs
- using cat on huge files
- deleting logs blindly
- ignoring tail -f
- assuming service is healthy because it says “active”
Simple Mental Model
Think of logs like CCTV recordings:
system logs → building activity auth logs → door access records kernel logs → hardware monitoring app logs → employee activity
👉 Debugging Linux = investigating evidence
Summary
what logs are
where logs are stored (/var/log)
important log files
cat, less, tail
live monitoring with tail -f
searching logs with grep
boot logs using dmesg
modern logging with journalctl
log rotation basics
Why Logs Matter
Logs are the foundation of:
Linux troubleshooting DevOps debugging production incident response server monitoring security analysis
👉 The better you read logs, the faster you solve problems.
End of Linux Beginner Series
You now learned:
Linux basics filesystem structure permissions users & groups processes disk usage networking logs & troubleshooting
That’s already more Linux knowledge than most beginners have.
Final Next Step: Linux Troubleshooting Flow for Beginners
Final Question
Which topic in this Linux series helped you the most?
And what Linux topic should the next series cover?
Discussion in the ATmosphere