How to Check System Logs in Linux [ 4 Easy Methods]

Written by

Reviewed by

Last updated: June 15, 2024

Expert verified

SVG Image

TL;DR

To learn how to check system logs in Linux, follow these steps:

  1. Open your Terminal.
  2. Navigate to the log directory with cd /var/log/.
  3. List all files and details using ls -lah.
  4. Open a specific log file interactively with less syslog.
  5. Use the arrow keys to navigate, and press q to quit.

System logs can feel overwhelming, but they’re crucial for keeping your Linux system running smoothly. If you’ve dealt with system crashes or strange errors, there’s a solution. In this post, I’ll show you how to check system logs in Linux and configure them. You’ll discover where to find logs, how to read them, and the best practices for managing them effectively. By the end, you’ll have the skills to monitor your system’s health, troubleshoot problems, and ensure security more efficiently. Let’s explore and make those logs work for you.

What are System Logs in Linux?

Linux system logs are files that record various events that happen on your Linux system. These events include system operations, errors, warnings, and other important messages that help you understand what’s going on with your system. System logs are essential for:

  • Monitoring System Health: They help you keep track of your system’s performance and detect issues early.
  • Troubleshooting Problems: When something goes wrong, system logs provide detailed information that can help you identify and fix the problem.
  • Ensuring Security: Logs can alert you to unauthorized access attempts and other security-related events.

Where Are System Logs Located?

On most Linux systems, you can find system logs in the /var/log directory. This directory contains various log files, each serving a different purpose. Here are some common log files you might encounter:

  1. /var/log/syslog or /var/log/messages: These files contain general system activity logs. They record information about the system’s operation, including startup messages, shutdown messages, and other system events.
  2. /var/log/auth.log or /var/log/secure: These files keep logs of authentication-related events, such as login attempts and security notices.
  3. /var/log/kern.log: This file contains kernel logs. The kernel is the core part of the operating system, and this log file records low-level system operations and hardware-related events.
  4. /var/log/dmesg: This file records boot and kernel messages. It provides information about the hardware detected during system startup and any errors that occurred.
  5. /var/log/boot.log: This file contains messages related to the boot process. It helps you understand what happens during system startup.

System logs are typically managed by a logging daemon, such as syslog or systemd-journald. These daemons collect log messages from various sources and write them to the appropriate log files based on predefined rules.

To view and analyze system logs, you can use various command-line tools, such as:

  • cat: Display the contents of a log file.
  • tail: Display the last few lines of a log file in real-time.
  • grep: Search for specific patterns or keywords within log files.
  • less: Interactively view and navigate through large log files.

In addition to command-line tools, there are also graphical log viewers and centralized log management solutions available for Linux, which can help in analyzing and visualizing log data more effectively.

How to Check System Logs in Linux?

To check system logs in Linux, you typically use the journalctl command, which is part of the systemd suite. This command allows you to view and manage system logs stored in the systemd journal. You can execute journalctl in the terminal to display all log messages, or add parameters to filter logs by specific criteria such as date, service, or priority level.

For instance, using journalctl -u nginx would show all logs related to the Nginx service. Other useful options include -f to follow the log in real-time, and --since followed by a date or time to view logs from a specific period.

That was the quick answer. Below, we’ll dive into more details on this method along with 3 more methods to Linux check system logs, each suited to different requirements and user preferences:

1. Directly Viewing Logs via Command Line

Accessing log files directly through the command line is a quick and effective way to check system logs for immediate troubleshooting needs. Follow these steps to check Linux logs:

  1. Access your Terminal window.
open terminal
  1. Type the following command to enter the directory where log files are stored: 
cd /var/log/

This command changes your current directory to /var/log/, where most log files are stored.

navigating to logs directory
  1. Now enter the following command to view all files in the log directory:
ls -lah 

It will also include details about their size and modification date.

listing all files in log directory
  1. Use the less command for an interactive view. For example, type: 
less syslog

This command opens the syslog file, allowing you to scroll through it interactively.

opening specific log file
  1. Navigate within the file using the arrow keys. Press q to quit and return to the command prompt.
navigating and exiting a log file

2. journalctl for systemd Logs

journalctl is a tool specifically designed for viewing Linux logs managed by systemd, the default init system for many Linux distributions. This method offers powerful filtering options that are crucial for managing modern Linux systems. Here is the step-by-step guide to check system logs in Linux:

  1. Open the Terminal.
  2. View all system logs by running the command:
journalctl

Simply display all logs from the systemd journal.

displaying all logs from systemd journal
  1. To narrow down Linux logs to a specific timeframe, type:
journalctl --since yesterday

This filters logs to show entries from yesterday to now.

listing logs from specific time frame
  1. To see logs of a particular severity, enter:
journalctl --priority=err

This shows logs with error severity.

viewing error message logs

3. Graphical Log Viewing Tools

Graphical tools such as GNOME Logs provide a user-friendly interface to view system logs, ideal for users who prefer graphical applications over command line tools. Follow these steps to check system logs in Linux:

  1. Open your Terminal and install GNOME logs:
sudo apt install gnome-logs

Enter your password to proceed with the installation.

installing gnome logs on ubuntu
  1. Find and launch GNOME Logs from your application menu or type gnome-logs in the Terminal.
searching for gnome logs in application menu
  1. The interface will display linux logs organized by different criteria. Use the search box and filters to locate specific log entries.
viewing logs using GUI

4. dmesg for Kernel Logs

The dmesg command is essential for viewing kernel messages, useful for diagnosing hardware and driver issues. It shows messages from the Linux kernel that are stored in the ring buffer. Here is how to Linux show logs:

  1. Launch the command prompt.
  2. Run the following command and press Enter:
dmesg

It will show all kernel messages.

view realtime kernel logs
  1. Use the following command to view messages with human-readable timestamps:
dmesg -T

This enhances the readability of timestamps.

viewing kernel messages with human readable timestamps
  1. Filter messages by level with the command: 
dmesg --level=err

This command filters the output to show only error messages.

viewing error messages only

How to Configure System Logs on Linux

System logs are essential for monitoring, troubleshooting, and securing Linux systems. This guide will provide clear and concise steps to configure system logs on Linux, covering the default logging system and basic customization.

  1. Open your Terminal and run the following command to install and start rsyslog:
sudo apt-get install rsyslog      
installing rsyslog
  1. Enable rsyslog to start on boot and start the service now:
sudo systemctl enable rsyslog

sudo systemctl start rsyslog
enabling and starting rsyslog service
  1. Open the rsyslog configuration file:
sudo nano /etc/rsyslog.conf
opening rsyslog configuration file in nano editor
  1. Set global directives in the configuration file:
$FileOwner root

$FileGroup adm

$FileCreateMode 0640

$IncludeConfig /etc/rsyslog.d/*.conf
setting global directives in configuration file
  1. Define log rules (e.g., log all authentication messages):
auth.* /var/log/auth.log
  1. Save and close the file.
defining log rules
  1. Now view the logs by running the command:
cat /var/log/syslog
viewing syslogs
  1. Open the logrotate configuration file:
sudo nano /etc/logrotate.conf
opening logrotate configuration file in nano editor
  1. Add a log rotation rule (e.g., rotate /var/log/syslog weekly):
/var/log/syslog {

  weekly

  rotate 4

  compress

  delaycompress

  missingok

  notifempty

  create 0640 root adm

}
  1. Save and close the file.
adding log rotation rule in logrotate configuration file
  1. Force log rotation manually (optional):
sudo logrotate -f /etc/logrotate.conf
manually log rotating
  1. Set appropriate permissions on the log file:
sudo chmod 640 /var/log/syslog

sudo chown root:adm /var/log/syslog
setting appropriate permissions on the log file

8 Best Practices for Effective Log Management

Proper log management is crucial for maintaining system integrity and security. Proper log management is crucial for maintaining system integrity and security. Here are eight best practices to follow for effective log management:

  • 📊 Centralize Log Management: Combine all your logs in one place to make it easier to check and analyze them. This helps you see the big picture and spot issues across your entire system more quickly.
  • 🔒 Secure Log Data: Keep your log data safe by using strong access controls and encryption. Make sure that only authorized personnel can access sensitive log information, whether it’s stored or being sent somewhere else.
  • 🔄 Implement Log Rotation: Use log rotation to manage the size of log files and save disk space. Automatically replace old logs with new ones and archive the old data to keep your system running smoothly.
  • 🛠️ Automate Monitoring and Alerts: Set up systems to automatically watch over your logs and alert you to unusual or suspicious activities. This helps you respond quickly to potential problems before they escalate.
  • 🔎 Perform Regular Audits: Regularly check your log management practices and systems to make sure they comply with your company’s policies and any legal requirements. Audits help fix any weaknesses before they become serious issues.
  • 📅 Maintain a Consistent Log Format: Keep log formats the same across all systems and devices to simplify analysis and automate reports. Using one format helps avoid confusion and makes processing data easier and faster.
  • 🌐 Utilize Log Analysis Tools: Use powerful tools to dig deep into your logs and pull out useful information. These tools can help you see trends, predict problems before they happen, and get helpful insights.
  • 🔄 Ensure High Availability of Log Data: Make sure your log data is always available by setting up backups and systems that can withstand failures. This protects your logs from being lost in case something goes wrong with your system.

Linux View System Logs: Final Thoughts

In this guide, I have explored how to check system log in Linux, including various tools and techniques. I have also covered configuring system logs and highlighted best practices for effective log management, such as log rotation and securing log files.

If you found this useful, I recommend exploring:

Frequently Asked Questions

How can I set permissions to restrict access to sensitive logs?

To restrict access to sensitive logs, you can set permissions using the chmod and chown commands. Assign logs to a specific user or group and set read-only permissions for others. Regularly audit permissions to ensure they remain secure.

Can system logs be recovered after accidental deletion?

Recovering deleted system logs depends on your backup practices. Regularly back up your logs to a separate storage solution. If logs are deleted, you can restore them from the backup. Without backups, recovery might not be possible unless using specialized data recovery tools, which are not always reliable.

How can I merge logs from different servers for centralized analysis?

To merge logs from different servers, use log management tools like Logstash or Fluentd. These tools collect logs from multiple sources, transform the data if necessary, and then store it in a central location like Elasticsearch for easy analysis.

How do system logs differ from application logs, and how should each be managed?

System logs record events from the operating system, while application logs capture events specific to an application’s operations. Manage system logs with system-level tools like journalctl, and use application-specific tools or configurations for application logs. Both should be monitored and maintained for security and performance.

Ojash

Author

Ojash is a skilled Linux expert and tech writer with over a decade of experience. He has extensive knowledge of Linux's file system, command-line interface, and software installations. Ojash is also an expert in shell scripting and automation, with experience in Bash, Python, and Perl. He has published numerous articles on Linux in various online publications, making him a valuable resource for both seasoned Linux users and beginners. Ojash is also an active member of the Linux community and participates in Linux forums.

Akshat

Reviewer

Akshat is a software engineer, product designer and the co-founder of Scrutify. He's an experienced Linux professional and the senior editor of this blog. He is also an open-source contributor to many projects on Github and has written several technical guides on Linux. Apart from that, he’s also actively sharing his ideas and tutorials on Medium and Attirer. As the editor of this blog, Akshat brings his wealth of knowledge and experience to provide readers with valuable insights and advice on a wide range of Linux-related topics.

Share this article
Shareable URL
Prev Post

How to Shutdown Ubuntu Server? [5 Best Methods]

Next Post

How to Find the PID and PPID Linux [7 Easy Methods]

Leave a Reply

Your email address will not be published. Required fields are marked *

Read next