A Comprehensive Guide to Checking Logs in a Linux Server

Logs are the backbone of system administration, providing crucial insights into system behavior, errors, security events, and performance. Whether you're troubleshooting an issue, monitoring services, or auditing security, knowing how to access and analyze logs is essential.

This guide covers:

✔ Where Linux stores logs

✔ How to view system and application logs

✔ Real-time log monitoring

✔ Searching and filtering logs

✔ Managing log rotation

1. Introduction to Linux Logs

Linux logs are stored in /var/log/ and are categorized into:

• System logs (syslog, messages, auth.log)
• Service logs (Nginx, Apache, MySQL, Docker)
• Kernel logs (dmesg, kern.log)
• Application logs (Django, Gunicorn, custom apps)

Logs help with:

• Debugging crashes and errors
• Monitoring user activity (logins, sudo commands)
• Security auditing (failed SSH attempts)
• Performance analysis (high CPU, memory usage)

2. Viewing System Logs

a. General System Logs

• Debian/Ubuntu → /var/log/syslog
• RHEL/CentOS → /var/log/messages

cat /var/log/syslog          # View entire log
tail -n 50 /var/log/syslog   # View last 50 lines

b. Authentication Logs

Track logins, sudo usage, and SSH activity:

• Debian/Ubuntu → /var/log/auth.log
• RHEL/CentOS → /var/log/secure

grep "Failed password" /var/log/auth.log  # Check failed SSH logins

c. Kernel & Boot Logs

• dmesg – Kernel ring buffer (hardware, driver errors)
• /var/log/boot.log – System startup logs

dmesg | grep -i "error"  # Find kernel errors

3. Checking Service-Specific Logs

a. Web Servers (Nginx/Apache)

• Nginx

  tail -f /var/log/nginx/error.log  # Real-time error tracking

• Apache

  cat /var/log/apache2/error.log    # Debian/Ubuntu
  cat /var/log/httpd/error_log      # RHEL/CentOS

b. Database Logs (MySQL/PostgreSQL)

• MySQL/MariaDB

  cat /var/log/mysql/error.log

• PostgreSQL

  cat /var/log/postgresql/postgresql-14-main.log

c. Application Logs (Gunicorn, Django, Node.js)

• Gunicorn (systemd)

  journalctl -u gunicorn --no-pager -n 100

• Custom log files

  tail -f /var/log/myapp.log

4. Real-Time Log Monitoring

a. tail -f (Follow Live Logs)

tail -f /var/log/nginx/access.log  # Watch web traffic in real-time

b. journalctl (Systemd Logs)

journalctl -xe               # Full system logs
journalctl -u nginx --follow # Follow Nginx service logs

c. less (Interactive Log Viewing)

less /var/log/syslog  # Press `/` to search, `q` to quit

5. Searching & Filtering Logs

a. grep (Find Errors, Keywords)

grep -i "error" /var/log/syslog       # Case-insensitive search
grep "Connection refused" /var/log/syslog

b. awk (Extract Specific Data)

# Get top IPs hitting Nginx
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr

c. sed (Filter by Date/Time)

# View logs from the last hour
sed -n '/$(date -d "1 hour ago" +"%b %d %H:")/,/$(date +"%b %d %H:")/p' /var/log/syslog

6. Log Rotation & Maintenance

Linux automatically rotates logs to prevent oversized files.

• Config: /etc/logrotate.conf
• Manual rotation:

  logrotate -f /etc/logrotate.conf

7. Best Practices for Log Management

✅ Regularly monitor critical logs (e.g., auth.log, nginx/error.log).

✅ Use log aggregation tools (ELK Stack, Grafana Loki) for large-scale systems.

✅ Set up log alerts (e.g., fail2ban for SSH brute-force attacks).

✅ Archive old logs to avoid disk space issues.

Conclusion

Mastering Linux logs is crucial for system administrators, developers, and DevOps engineers. By leveraging commands like grep, journalctl, and tail, you can efficiently debug issues, enhance security, and optimize performance.

Next Steps:

• Automate log monitoring with tools like Logwatch or Prometheus.
• Set up centralized logging for distributed systems.