A Comprehensive Guide to Checking Logs in a Linux Server

Logs are the backbone of system administration, providing crucial insights into system behavior, errors, security events, and performance. Whether you're troubleshooting an issue, monitoring services, or auditing security, knowing how to access and analyze logs is essential.

This guide covers:

✔ Where Linux stores logs

✔ How to view system and application logs

✔ Real-time log monitoring

✔ Searching and filtering logs

✔ Managing log rotation

1. Introduction to Linux Logs

Linux logs are stored in /var/log/ and are categorized into:

• System logs (syslog, messages, auth.log)
• Service logs (Nginx, Apache, MySQL, Docker)
• Kernel logs (dmesg, kern.log)
• Application logs (Django, Gunicorn, custom apps)

Logs help with:

• Debugging crashes and errors
• Monitoring user activity (logins, sudo commands)
• Security auditing (failed SSH attempts)
• Performance analysis (high CPU, memory usage)

2. Viewing System Logs

a. General System Logs

• Debian/Ubuntu → /var/log/syslog
• RHEL/CentOS → /var/log/messages

cat /var/log/syslog # View entire log tail -n 50 /var/log/syslog # View last 50 lines 

b. Authentication Logs

Track logins, sudo usage, and SSH activity:

• Debian/Ubuntu → /var/log/auth.log
• RHEL/CentOS → /var/log/secure

grep "Failed password" /var/log/auth.log # Check failed SSH logins 

c. Kernel & Boot Logs

• dmesg – Kernel ring buffer (hardware, driver errors)
• /var/log/boot.log – System startup logs

dmesg | grep -i "error" # Find kernel errors 

3. Checking Service-Specific Logs

a. Web Servers (Nginx/Apache)

• Nginx

 tail -f /var/log/nginx/error.log # Real-time error tracking 

• Apache

 cat /var/log/apache2/error.log # Debian/Ubuntu cat /var/log/httpd/error_log # RHEL/CentOS 

b. Database Logs (MySQL/PostgreSQL)

• MySQL/MariaDB

 cat /var/log/mysql/error.log 

• PostgreSQL

 cat /var/log/postgresql/postgresql-14-main.log 

c. Application Logs (Gunicorn, Django, Node.js)

• Gunicorn (systemd)

 journalctl -u gunicorn --no-pager -n 100 

• Custom log files

 tail -f /var/log/myapp.log 

4. Real-Time Log Monitoring

a. tail -f (Follow Live Logs)

tail -f /var/log/nginx/access.log # Watch web traffic in real-time 

b. journalctl (Systemd Logs)

journalctl -xe # Full system logs journalctl -u nginx --follow # Follow Nginx service logs 

c. less (Interactive Log Viewing)

less /var/log/syslog # Press `/` to search, `q` to quit 

5. Searching & Filtering Logs

a. grep (Find Errors, Keywords)

grep -i "error" /var/log/syslog # Case-insensitive search grep "Connection refused" /var/log/syslog 

b. awk (Extract Specific Data)

# Get top IPs hitting Nginx awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr 

c. sed (Filter by Date/Time)

# View logs from the last hour sed -n '/$(date -d "1 hour ago" +"%b %d %H:")/,/$(date +"%b %d %H:")/p' /var/log/syslog 

6. Log Rotation & Maintenance

Linux automatically rotates logs to prevent oversized files.

• Config: /etc/logrotate.conf
• Manual rotation:

 logrotate -f /etc/logrotate.conf 

7. Best Practices for Log Management

✅ Regularly monitor critical logs (e.g., auth.log, nginx/error.log).

✅ Use log aggregation tools (ELK Stack, Grafana Loki) for large-scale systems.

✅ Set up log alerts (e.g., fail2ban for SSH brute-force attacks).

✅ Archive old logs to avoid disk space issues.

Conclusion

Mastering Linux logs is crucial for system administrators, developers, and DevOps engineers. By leveraging commands like grep, journalctl, and tail, you can efficiently debug issues, enhance security, and optimize performance.

Next Steps:

• Automate log monitoring with tools like Logwatch or Prometheus.
• Set up centralized logging for distributed systems.