It’s extremely frustrating when your computer isn’t working properly and you don’t know why. While there aren’t easy resolutions to every issue you might encounter in Ubuntu, you can use resources like the Ubuntu error logs to troubleshoot and diagnose your PC woes.

What Are Ubuntu Logs?

The Ubuntu logs are comprehensive files that store a record of all the events that occur on your computer. It includes logged information about your hardware, operating system, and even some of your software.

These logs are invaluable for the troubleshooting and diagnosing process. They provide information like timestamps, context, and in-depth details about events that occur across your system. To make use of these logs, you must know about the most important types first.

Types of Ubuntu Logs

Rather than writing every bit of information into one log, Ubuntu records information in separate logs designed for different purposes. While there are too many logs to list, there are a few important logs (and log types) you should be aware of before you attempt to use them for troubleshooting.

viewing logs folder in ubuntu file manager
Screenshot by Hannah Knight -- No attribution required

Perhaps the most prominent of all the logs is the systemd journal. systemd is an integral service manager in Linux. As a result, issues with many different operating system services are recorded in the systemd journal. You can navigate this log with the journalctl command.

The system logs are also very important. These logs directly pertain to different parts of Ubuntu and might include things like system messages. Some of the system logs include:

  • The Authorization Log: Any process that requires authorization, such as a sudo command or user logins, will be recorded in this log.
  • The Daemon Log: This log pertains to any background services (or daemons), such as Bluetooth and SSH.
  • The Debug Log: This log provides debugging information provided by the system as well as applications that log to syslogd.
  • The Kernel Log: This log includes records of activity involving the Linux kernel.
  • The System Log: This log stores records that include most types of global activity on your system.
  • The Fail Log: This log stores records of failed logins, which makes it particularly helpful for checking if someone has attempted to break into your system.

Your computer may also have application logs (such as Apache log files or MySQL log files) stored in the /var/log directory. You can use the ls command to see all of the log files currently stored on your computer:

 ls /var/log

How to Read Logs on Ubuntu

Now that you’re familiar with the different types of logs on your system, you’re ready to delve into the information they store. Before you start, it’s important to note that not all system logs are written the same way.

Some logs are stored as plaintext files while other logs are stored as binary files. You’ll need to familiarize yourself with both types of files—and the command-line tools they’re paired with—if you want to effectively parse through the records on your system.

Plaintext file logs use a template known as RSYSLOG_TraditionalFileFormat and include four basic fields: timestamp, hostname, application, and message. For example, the kernel log uses this template:

viewing kernel log in terminal
Screenshot by Hannah Knight -- No attribution required

Unlike plaintext logs, binary file logs can’t be read as easily. You will need to use command-line utilities like who, last, and lastb to read logs like utmp, wtmp, and btmp, respectively. Commands like utmpdump for utmp variants and systemctl for journald are also designed to print binary log information in a readable format.

In most situations, knowing how to parse through these logs effectively in the terminal will be important. You can use commands like grep and tail to pull specific information without having to painstakingly read through the entirety of your system logs.

Some of the best commands you can use include:

  • grep: Searches for a string of characters in a file
  • tail: Prints 10 lines from the end of a file
  • head: Prints 10 lines from the beginning of a file
  • sort: Prints a file reorganized to your specifications

Command-line tools such as utmpdump and systemctl also have helpful flags that you should keep in mind when working in the terminal. These flags will allow you to modify the command and have increased control over what prints in the terminal.

Some particularly helpful flags for the journalctl command are:

  • -b: Causes journalctl to only return entries gathered after the last reboot
  • --since “YYYY-MM-DD HH:MM:SS” --until “YYYY-MM-DD HH:MM:SS”: Instructs journalctl to only return entries before and/or after the specified dates
  • -p NUM: Filters entries by their syslog priority levels (ranging from 0/emerg to 7/debug)

Troubleshooting Errors With Ubuntu Logs

Now that you’re familiar with the different types of system logs and know how to read through them effectively, the only thing left to do is apply the information you’ve gathered to the troubleshooting process. This process usually takes some creativity.

It’s a good idea to approach troubleshooting by thinking about the prominent characteristics of the issue you’re dealing with first. Does the issue happen when you open a certain application? Does your system crash and reboot every time the issue occurs?

When you think about the characteristics of the issue, it will naturally lead you to some of the best logs for gleaning information about it. For example, if your system is having issues during the boot process, you may be able to get some helpful information by referencing the boot entries in journald.

Enter the following command to print all of the logged boots in journald:

 journalctl --list-boots

The terminal will print a list of recorded boots; the most recent boots will be found at the bottom of the list. Look at the recorded dates and times for each boot until you’re able to find a logged boot where the error occurred.

Take the number from the leftmost column as NUM and enter the following command to get more information about the boot:

 journalctl -b -NUM -n

A comprehensive record of information about the boot will be displayed. If any unusual errors happened during the boot process, you could then use the information from this record to get a step further in troubleshooting them.

examining boot logs using journalctl in terminal
Screenshot by Hannah Knight -- No attribution required

The same principle applies to many other issues. If you don’t know much about the issue your computer is experiencing, however, it might be difficult to know where to start. There are a few logs that stand out as being particularly helpful for a wide range of issues with Ubuntu systems.

syslog is the best log to start with during the troubleshooting process. Since it’s effectively a global log, it is very likely to have some information about the issue you’re dealing with. If you’re having issues with authentication (like the sudo password not working error, for instance) or booting, then check auth.log or boot.log.

Search through the most relevant logs with keywords related to your problem. For example, if you’re having issues authenticating, you could pull records from auth.log with the following command:

 cat /var/log/auth.log | grep 'Authentication failure'

Eventually, you’re certain to find information that offers excellent insight. When you pair information from the error logs with research on the web, you’re very likely to find resources that will help you resolve issues with your system in no time.

Reference Online Resources to Troubleshoot Linux Errors

You don’t have to go through the troubleshooting process alone. As you gather information about the issue with your computer, you should use online resources like Ask Ubuntu and the detailed guides at MakeUseOf to get closer to finally diagnosing and repairing your PC.