Linux 122: Using and Managing System Logs on Linux

byAhmed Kira -
0

Linux 122: Using and Managing System Logs on Linux

System logs are the first place you should look when diagnosing issues or tracking system activity on a Linux server. Proper log management is essential for debugging, auditing, and maintaining system health. In this article, we’ll explore how Linux logs work, where to find them, and how to manage them effectively.

📘 1. What Are System Logs?

System logs are text records of events generated by the Linux kernel, services, and user-level applications. They can contain a wide range of information:

  • System boot information

  • Authentication attempts

  • Package installations

  • Hardware errors

  • Custom application output

📂 2. Common Log File Locations

Most logs in Linux are stored under /var/log. Here are some key files and what they contain:

Log FileDescription
/var/log/syslog or /var/log/messagesGeneral system activity logs
/var/log/auth.log or /var/log/secureAuthentication events
/var/log/dmesgKernel ring buffer, boot messages
/var/log/kern.logKernel logs
/var/log/faillogFailed login attempts
/var/log/boot.logBoot-related services and messages
/var/log/Xorg.0.logX server (GUI) logs

Note: File names vary slightly between distributions (e.g., Debian-based vs. RHEL-based).

🛠️ 3. Viewing Log Files

Use cat, less, tail, and grep


# View entire file
cat /var/log/syslog

# Paginate output
less /var/log/syslog

# View the last few lines
tail -n 50 /var/log/auth.log

# Monitor log in real-time
tail -f /var/log/syslog

# Filter lines with keyword
grep "error" /var/log/syslog

🧾 4. journald and journalctl

Most modern distributions use systemd-journald to collect logs. You can access them using:


# View all journal logs
journalctl

# Filter by boot session
journalctl -b

# Logs for a specific service
journalctl -u ssh

# Show logs in real-time
journalctl -f

# Filter by time
journalctl --since "1 hour ago"

Logs are stored in binary format at /var/log/journal/ and rotated automatically.

🧹 5. Log Rotation with logrotate

To prevent logs from consuming too much disk space, logrotate is used to compress and archive older log files.

Configuration Files

  • Global config: /etc/logrotate.conf

  • Per-service configs: /etc/logrotate.d/

Example Entry in /etc/logrotate.d/nginx


/var/log/nginx/*.log {
    daily
    rotate 7
    compress
    missingok
    notifempty
}

This keeps 7 days of logs, compresses old ones, and skips rotation if the file is empty.

🔐 6. Log Management Tips

  • Secure logs: Restrict access using file permissions (chmod 600).

  • Monitor log size: Use du -sh /var/log and logrotate to control growth.

  • Use tools like:

    • GoAccess for web logs

    • Logwatch for daily summaries

    • rsyslog or syslog-ng for forwarding logs to a remote server

  • Automate alerts with monitoring tools like Nagios, Prometheus, or Logstash.

✅ 7. Best Practices

PracticeWhy It Matters
Regularly check /var/logDetect issues early
Use journalctl for systemd servicesPowerful filtering options
Automate rotation and compressionSaves disk space
Archive and back up logsFor audits and security
Monitor suspicious log entriesDetect potential breaches

📌 Conclusion

System logs are your window into what’s happening on a Linux server. By understanding how to find, read, and manage logs, you can troubleshoot problems faster, keep your system secure, and ensure long-term stability.

Post a Comment (0)
Previous Post Next Post

ads