{"id":4025,"date":"2021-02-03T23:16:25","date_gmt":"2021-02-03T23:16:25","guid":{"rendered":"https:\/\/linuxways.net\/?p=4025"},"modified":"2021-02-03T23:16:28","modified_gmt":"2021-02-03T23:16:28","slug":"how-to-view-standard-log-files-on-ubuntu-linux-servers","status":"publish","type":"post","link":"https:\/\/linuxways.net\/de\/ubuntu\/how-to-view-standard-log-files-on-ubuntu-linux-servers\/","title":{"rendered":"How to View Standard Log Files on Ubuntu Linux Servers"},"content":{"rendered":"

Logs are extremely useful when troubleshooting system, application or network problems. Information captured in log files may also be analyzed to uncover patterns that can help you make informed decisions as a system admin.<\/p>\n

This guide briefly explains how you can view standard log files on Ubuntu Linux servers.<\/p>\n

Important commands for working with log files<\/h2>\n

On Ubuntu Linux servers, logs are normally stored in plain text format. Hence, it is important that you know the following basic Linux commands for moving around the filesystem and working with text files via the Ubuntu terminal.<\/p>\n

cd<\/strong> – change directory<\/p>\n

ls<\/strong> – display the contents of a directory<\/p>\n

cp<\/strong> – copy files or folders<\/p>\n

mv<\/strong> – rename\/move files or folders<\/p>\n

nano<\/strong> – console-based text editor<\/p>\n

less<\/strong> – view the content of a text file one page at a time<\/p>\n

head<\/strong> – display the first 10 lines of a text file<\/p>\n

tail<\/strong> – view the last 10 lines of a text file<\/p>\n

grep<\/strong> – search for specific keywords in a text file or output data<\/p>\n

Location of log files on Ubuntu servers<\/h2>\n

Basically, log files are stored under the \/var\/log<\/strong> directory on Ubuntu servers. Run the command below to change the directory to \/var\/log.<\/p>\n

$ cd \/var\/log<\/strong><\/pre>\n
Now, you may list the content of \/var\/log as follows.<\/p>\n
$ ls<\/strong><\/pre>\n
As seen in figure 1 below, the \/var\/log directory contains several log files that can be broadly categorized into system logs and application logs.<\/p>\n
<\/p>\n
Figure 1: List log files on Ubuntu server<\/strong><\/p>\n
System logs<\/h2>\n
System logs contain information about the operation of the Ubuntu system; including authorization logs, kernel logs, kernel ring buffer, and general system events.<\/p>\n
Authorization logs<\/h3>\n
Authorization logs are stored in \/var\/log\/auth.log<\/strong>. This is where you will find information about user authorization attempts; including the use of the sudo command.<\/p>\n
You may run the command below to inspect the content of the auth.log file.<\/p>\n
$ sudo less \/var\/log\/auth.log<\/strong><\/pre>\n
Note: <\/strong>Hit the spacebar on your keyboard to scroll from page to page. Press q <\/strong>to exit.<\/p>\n
You could also use the grep command to filter the information in the logs. Here is an example.<\/p>\n
$ sudo less \/var\/log\/auth.log | grep olu<\/strong><\/pre>\n
The information in the sample output<\/strong> below indicates that there was a successful remote login to my Ubuntu server via ssh by user olu.<\/p>\n\n\n\n
Feb 1 15:44:24 Ubuntu sshd[1594]: Accepted publickey for olu from 105.0.0.100 port 35233 ssh2: RSA SHA256:B3zi4x3gdF89wm0GZw+fsAkhckLEsx8fJ0GJiU80CXH<\/p>\n
Feb 1 15:44:24 Ubuntu sshd[1594]: pam_unix(sshd:session): session opened for user olu by (uid=0)<\/p>\n
Feb 1 15:44:24 Ubuntu systemd-logind[747]: New session 2 of user olu.<\/p>\n
Feb 1 15:44:24 Ubuntu systemd: pam_unix(systemd-user:session): session opened for user olu by (uid=0)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Kernel logs<\/h3>\n
Kernel logs are held in \/var\/log\/kern.log<\/strong>. This information is useful for troubleshooting kernel errors. The kernel controls everything in the operating system; including process management, memory management and device management.<\/p>\n
Use the following command to display the content of the kern.log file one page at a time.<\/p>\n
$ sudo less \/var\/log\/kern.log<\/strong><\/pre>\n
Or try this to display the first 10 lines of the kern.log file.<\/p>\n
$ sudo head \/var\/log\/kern.log<\/strong><\/pre>\n
Find specific information in kern.log.<\/p>\n
$ grep memory \/var\/log\/kern.log<\/strong><\/pre>\n
Kernel ring buffer<\/h3>\n
The kernel ring buffer holds kernel hardware information. The information is logged in \/var\/log\/dmesg<\/strong> and can be displayed by using the dmesg<\/strong> command. This information includes all detected devices at system boot time.<\/p>\n
You can use this to troubleshoot issues with server hardware components. Run the command below to view the entire content of the kernel ring buffer.<\/p>\n
$ dmesg<\/strong><\/pre>\n
Try the next command to display the last 10 lines of the kernel ring buffer.<\/p>\n
$ dmesg | tail<\/strong><\/pre>\n
Or filter for specific keywords using grep.<\/p>\n
$ dmesg | grep cpu<\/strong><\/pre>\n
General system logs<\/h3>\n
Here, we are going to talk about syslog<\/strong> and journalctl<\/strong><\/p>\n
Syslog<\/h4>\n
Syslog is a logging mechanism that stores general system events in \/var\/log\/syslog<\/strong>. The information stored here may include events that you may not find in other log files.<\/p>\n
Run the command below to display the content of the syslog file page by page.<\/p>\n
$ sudo less \/var\/log\/syslog<\/strong><\/pre>\n
You could also search for specific keywords using the grep<\/strong> command as follows.<\/p>\n
$ sudo grep failed \/var\/log\/syslog<\/strong><\/pre>\n
Journalctl<\/h4>\n
The journalctl command simplifies the process of examining server logs. Rather than look through individual log files, you could use journalctl to quickly find and filter the information that you need.<\/p>\n
The command below displays all log entries from oldest to newest.<\/p>\n
$ journalctl<\/strong><\/pre>\n
The next command shows warning messages.<\/p>\n
$ journalctl -p warning<\/strong><\/pre>\n
You can display only kernel messages as follows.<\/p>\n
$ journalctl --dmesg<\/strong><\/pre>\n
You can search for specific keywords by combining the grep<\/strong> command and view results page by page using less<\/strong>.<\/p>\n
$ journalctl | grep ssh | less<\/strong><\/pre>\n
View log information since a specific date.<\/p>\n
$ journalctl --since=2021-02-01<\/strong><\/pre>\n
Or view log information since a specific time.<\/p>\n
$ journalctl --since=12:00<\/strong><\/pre>\n
You could also type journalctl<\/strong> and then press the tab key on your keyboard to see available options.<\/p>\n
Application Logs<\/h2>\n
Several applications store log information under \/var\/log<\/strong>. For example, in figure 1 above, the clamav<\/strong> directory contains log files pertaining to the ClamAV anti-malware application.<\/p>\n
Here are some examples of popular applications or services and where their log information is stored.<\/p>\n
Apache web server logs - \/var\/log\/apache2<\/strong><\/pre>\n
NGINX web server logs - \/var\/log\/nginx<\/strong><\/pre>\n
Printing system (CUPS) logs - \/var\/log\/cups<\/strong><\/pre>\n
Other Useful Logs<\/h2>\n
Some log files such as lastlog<\/strong>, wtmp<\/strong> may not be directly read by humans. The following is a brief explanation of what type of information these files contain and how you can view it.<\/p>\n
lastlog<\/h3>\n
The information held in \/var\/log\/lastlog <\/strong>pertains to users and their most recent login to the Ubuntu server. You would need to use the lastlog<\/strong> command to access it as follows.<\/p>\n
$ lastlog<\/strong><\/pre>\n
wtmp<\/h3>\n
The var\/log\/wtmp<\/strong> file holds comprehensive login records.<\/p>\n
Run the last<\/strong> command to display a list of last logged in users. You may also see information about system boot\/reboot.<\/p>\n
$ last<\/strong><\/pre>\n
Run the who <\/strong>command to see who is currently logged in.<\/p>\n
$ who<\/strong><\/pre>\n
The w<\/strong> command shows you who is currently logged in and what they are doing on the Ubuntu server.<\/p>\n
$ w<\/strong><\/pre>\n
Conclusion<\/h2>\n
In this guide, we have briefly covered how to view standard log files on Ubuntu servers. This is not an exhaustive list but we hope that it gives you an idea of where to look.<\/p>","protected":false},"excerpt":{"rendered":"
Logs are extremely useful when troubleshooting system, application or network problems. Information captured in log files may also be analyzed to uncover patterns that can help you make…<\/p>","protected":false},"author":28,"featured_media":4028,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[35,174,100],"class_list":["post-4025","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ubuntu","tag-linux","tag-log-files","tag-ubuntu-20-04"],"_links":{"self":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/posts\/4025","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/users\/28"}],"replies":[{"embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/comments?post=4025"}],"version-history":[{"count":0,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/posts\/4025\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/media\/4028"}],"wp:attachment":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/media?parent=4025"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/categories?post=4025"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/tags?post=4025"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}