How to View Standard Log Files on Ubuntu Linux Servers

View Standard Log Files on Ubuntu Servers

Logs are extremely useful when troubleshooting system, application or network problems. Information captured in log files may also be analyzed to uncover patterns that can help you make informed decisions as a system admin.

This guide briefly explains how you can view standard log files on Ubuntu Linux servers.

Important commands for working with log files

On Ubuntu Linux servers, logs are normally stored in plain text format. Hence, it is important that you know the following basic Linux commands for moving around the filesystem and working with text files via the Ubuntu terminal.

cd – change directory

ls – display the contents of a directory

cp – copy files or folders

mv – rename/move files or folders

nano – console-based text editor

less – view the content of a text file one page at a time

head – display the first 10 lines of a text file

tail – view the last 10 lines of a text file

grep – search for specific keywords in a text file or output data

Location of log files on Ubuntu servers

Basically, log files are stored under the /var/log directory on Ubuntu servers. Run the command below to change the directory to /var/log.

$ cd /var/log

Now, you may list the content of /var/log as follows.

$ ls

As seen in figure 1 below, the /var/log directory contains several log files that can be broadly categorized into system logs and application logs.

Figure 1: List log files on Ubuntu server

System logs

System logs contain information about the operation of the Ubuntu system; including authorization logs, kernel logs, kernel ring buffer, and general system events.

Authorization logs

Authorization logs are stored in /var/log/auth.log. This is where you will find information about user authorization attempts; including the use of the sudo command.

You may run the command below to inspect the content of the auth.log file.

$ sudo less /var/log/auth.log

Note: Hit the spacebar on your keyboard to scroll from page to page. Press q to exit.

You could also use the grep command to filter the information in the logs. Here is an example.

$ sudo less /var/log/auth.log | grep olu

The information in the sample output below indicates that there was a successful remote login to my Ubuntu server via ssh by user olu.

Feb 1 15:44:24 Ubuntu sshd[1594]: Accepted publickey for olu from port 35233 ssh2: RSA SHA256:B3zi4x3gdF89wm0GZw+fsAkhckLEsx8fJ0GJiU80CXH

Feb 1 15:44:24 Ubuntu sshd[1594]: pam_unix(sshd:session): session opened for user olu by (uid=0)

Feb 1 15:44:24 Ubuntu systemd-logind[747]: New session 2 of user olu.

Feb 1 15:44:24 Ubuntu systemd: pam_unix(systemd-user:session): session opened for user olu by (uid=0)

Kernel logs

Kernel logs are held in /var/log/kern.log. This information is useful for troubleshooting kernel errors. The kernel controls everything in the operating system; including process management, memory management and device management.

Use the following command to display the content of the kern.log file one page at a time.

$ sudo less /var/log/kern.log

Or try this to display the first 10 lines of the kern.log file.

$ sudo head /var/log/kern.log

Find specific information in kern.log.

$ grep memory /var/log/kern.log

Kernel ring buffer

The kernel ring buffer holds kernel hardware information. The information is logged in /var/log/dmesg and can be displayed by using the dmesg command. This information includes all detected devices at system boot time.

You can use this to troubleshoot issues with server hardware components. Run the command below to view the entire content of the kernel ring buffer.

$ dmesg

Try the next command to display the last 10 lines of the kernel ring buffer.

$ dmesg | tail

Or filter for specific keywords using grep.

$ dmesg | grep cpu

General system logs

Here, we are going to talk about syslog and journalctl


Syslog is a logging mechanism that stores general system events in /var/log/syslog. The information stored here may include events that you may not find in other log files.

Run the command below to display the content of the syslog file page by page.

$ sudo less /var/log/syslog

You could also search for specific keywords using the grep command as follows.

$ sudo grep failed /var/log/syslog


The journalctl command simplifies the process of examining server logs. Rather than look through individual log files, you could use journalctl to quickly find and filter the information that you need.

The command below displays all log entries from oldest to newest.

$ journalctl

The next command shows warning messages.

$ journalctl -p warning

You can display only kernel messages as follows.

$ journalctl --dmesg

You can search for specific keywords by combining the grep command and view results page by page using less.

$ journalctl | grep ssh | less

View log information since a specific date.

$ journalctl --since=2021-02-01

Or view log information since a specific time.

$ journalctl --since=12:00

You could also type journalctl and then press the tab key on your keyboard to see available options.

Application Logs

Several applications store log information under /var/log. For example, in figure 1 above, the clamav directory contains log files pertaining to the ClamAV anti-malware application.

Here are some examples of popular applications or services and where their log information is stored.

Apache web server logs - /var/log/apache2
NGINX web server logs - /var/log/nginx
Printing system (CUPS) logs - /var/log/cups

Other Useful Logs

Some log files such as lastlog, wtmp may not be directly read by humans. The following is a brief explanation of what type of information these files contain and how you can view it.


The information held in /var/log/lastlog pertains to users and their most recent login to the Ubuntu server. You would need to use the lastlog command to access it as follows.

$ lastlog


The var/log/wtmp file holds comprehensive login records.

Run the last command to display a list of last logged in users. You may also see information about system boot/reboot.

$ last

Run the who command to see who is currently logged in.

$ who

The w command shows you who is currently logged in and what they are doing on the Ubuntu server.

$ w


In this guide, we have briefly covered how to view standard log files on Ubuntu servers. This is not an exhaustive list but we hope that it gives you an idea of where to look.

Similar Posts