Troubleshooting a Linux system often feels like detective work, but the system itself provides the clues you need through its logging mechanisms.
Linux provides built-in commands and standardized directories to make log management straightforward. Master these approaches to maintain effective control over your system’s health.
Table of Contents
Key Takeaways: How to Check System Logs in Linux
journalctlcommand → The modern standard for querying systemd-based logs. It allows for advanced filtering by service name or time.- /var/log directory → The central hub for traditional log files. It contains persistent data like general system messages and application-specific logs.
tailcommand → Essential for real-time debugging. The-fflag lets you watch new log entries as they are written to the disk.lessandcatcommands → Fundamental tools for viewing static log files. Uselessfor longer logs to enable paging and scrolling.
Method 1: Using the journalctl Command
Modern Linux distributions use systemd to manage logs through a binary format known as the journal. The journalctl command is the primary tool used to query this data.
Run this command to view the most recent logs: journalctl -xe
The -e flag jumps to the end of the log, while -x adds explanatory text to help diagnose common errors. For a deeper dive into filtering by time or priority, you can refer to a complete guide to using journalctl.
Method 2: Inspecting /var/log/messages
While many logs are handled by systemd, the file /var/log/messages remains a vital destination for general system events that should persist between boots.
Use this syntax to view the end of the file: sudo tail -n 5 /var/log/messages
Because system logs often contain sensitive data, you must use administrative privileges to view them; otherwise, you will receive a “Permission denied” error. You can learn more about managing these rights in our guide to understanding the Linux sudo command.
Method 3: Monitoring Logs in Real-Time with tail
The tail command is indispensable when you need to watch a process execute or catch an error as it happens.
Run this to “follow” a log file: tail -f /var/log/secure
See also: Mastering the Linux Command Line — Your Complete Free Training Guide
The -f flag keeps the file open and updates the screen whenever a new line is written. This is particularly useful for verifying authentication attempts or if you need to check system reboot logs during troubleshooting.
Method 4: Viewing Static Logs with less
For older logs or specific configuration records, the less command provides a more controlled viewing experience than cat because it allows you to page through the data.
Run this to open a log file for reading: less /var/log/dmesg
Use the UpArrow and DownArrow keys to scroll, and press q to exit. This method is much more efficient than dumping large files to your terminal, similar to how you might check file size in Linux before auditing storage usage.
Summary Tables
| Task | Recommended Command | Primary Purpose |
|---|---|---|
| Check Modern Journal | journalctl -xe | View latest systemd service logs. |
| View Static System Log | less /var/log/messages | Inspect persistent system-wide events. |
| Follow Active Logs | tail -f <filename> | Watch errors occur in real-time. |
| Verify Boot Messages | journalctl -b | Review logs from the current boot session. |
| Audit Security Logs | tail /var/log/secure | Check for login failures and sudo usage. |
| Important Log Location | Type of Data Stored |
|---|---|
| /var/log/messages | General system messages and daemon info. |
| /var/log/secure | Authentication and authorization records. |
| /var/log/boot.log | Messages generated during system startup. |
| /var/log/dmesg | Kernel ring buffer and hardware-related info. |
| /var/log/cron | Log data for scheduled background tasks. |
FAQs
What is the quickest way to check logs in Linux? For a quick glance at the most recent activity, use sudo tail -n 20 /var/log/messages. This displays the last 20 lines of the main system log.
Why do I get “Permission denied” when viewing logs? System logs are restricted to protect security boundaries between users. You must use sudo to gain the necessary access.
How can I search for a specific error in my logs? You can pipe log output to grep. For example, journalctl | grep -i "error" will filter the journal for any mention of an error regardless of case.
Can I view logs from a previous boot? Yes, if persistent logging is enabled, use journalctl -b -1 to view logs from the previous boot session.
