Logs are extremely useful when troubleshooting system, application or network problems. Information captured in log files may also be analyzed to uncover patterns that can help you make informed decisions as a system admin.
This guide briefly explains how you can view standard log files on Ubuntu Linux servers.
Important commands for working with log files
On Ubuntu Linux servers, logs are normally stored in plain text format. Hence, it is important that you know the following basic Linux commands for moving around the filesystem and working with text files via the Ubuntu terminal.
cd – change directory
ls – display the contents of a directory
cp – copy files or folders
mv – rename/move files or folders
nano – console-based text editor
less – view the content of a text file one page at a time
head – display the first 10 lines of a text file
tail – view the last 10 lines of a text file
grep – search for specific keywords in a text file or output data
Location of log files on Ubuntu servers
Basically, log files are stored under the /var/log directory on Ubuntu servers. Run the command below to change the directory to /var/log.
$ cd /var/log
Now, you may list the content of /var/log as follows.
As seen in figure 1 below, the /var/log directory contains several log files that can be broadly categorized into system logs and application logs.
Figure 1: List log files on Ubuntu server
System logs contain information about the operation of the Ubuntu system; including authorization logs, kernel logs, kernel ring buffer, and general system events.
Authorization logs are stored in /var/log/auth.log. This is where you will find information about user authorization attempts; including the use of the sudo command.
You may run the command below to inspect the content of the auth.log file.
$ sudo less /var/log/auth.log
Note: Hit the spacebar on your keyboard to scroll from page to page. Press q to exit.
You could also use the grep command to filter the information in the logs. Here is an example.
$ sudo less /var/log/auth.log | grep olu
The information in the sample output below indicates that there was a successful remote login to my Ubuntu server via ssh by user olu.
|Feb 1 15:44:24 Ubuntu sshd: Accepted publickey for olu from 220.127.116.11 port 35233 ssh2: RSA SHA256:B3zi4x3gdF89wm0GZw+fsAkhckLEsx8fJ0GJiU80CXH
Feb 1 15:44:24 Ubuntu sshd: pam_unix(sshd:session): session opened for user olu by (uid=0)
Feb 1 15:44:24 Ubuntu systemd-logind: New session 2 of user olu.
Feb 1 15:44:24 Ubuntu systemd: pam_unix(systemd-user:session): session opened for user olu by (uid=0)
Kernel logs are held in /var/log/kern.log. This information is useful for troubleshooting kernel errors. The kernel controls everything in the operating system; including process management, memory management and device management.
Use the following command to display the content of the kern.log file one page at a time.
$ sudo less /var/log/kern.log
Or try this to display the first 10 lines of the kern.log file.
$ sudo head /var/log/kern.log
Find specific information in kern.log.
$ grep memory /var/log/kern.log
Kernel ring buffer
The kernel ring buffer holds kernel hardware information. The information is logged in /var/log/dmesg and can be displayed by using the dmesg command. This information includes all detected devices at system boot time.
You can use this to troubleshoot issues with server hardware components. Run the command below to view the entire content of the kernel ring buffer.
Try the next command to display the last 10 lines of the kernel ring buffer.
$ dmesg | tail
Or filter for specific keywords using grep.
$ dmesg | grep cpu
General system logs
Here, we are going to talk about syslog and journalctl
Syslog is a logging mechanism that stores general system events in /var/log/syslog. The information stored here may include events that you may not find in other log files.
Run the command below to display the content of the syslog file page by page.
$ sudo less /var/log/syslog
You could also search for specific keywords using the grep command as follows.
$ sudo grep failed /var/log/syslog
The journalctl command simplifies the process of examining server logs. Rather than look through individual log files, you could use journalctl to quickly find and filter the information that you need.
The command below displays all log entries from oldest to newest.
The next command shows warning messages.
$ journalctl -p warning
You can display only kernel messages as follows.
$ journalctl --dmesg
You can search for specific keywords by combining the grep command and view results page by page using less.
$ journalctl | grep ssh | less
View log information since a specific date.
$ journalctl --since=2021-02-01
Or view log information since a specific time.
$ journalctl --since=12:00
You could also type journalctl and then press the tab key on your keyboard to see available options.
Several applications store log information under /var/log. For example, in figure 1 above, the clamav directory contains log files pertaining to the ClamAV anti-malware application.
Here are some examples of popular applications or services and where their log information is stored.
Apache web server logs - /var/log/apache2
NGINX web server logs - /var/log/nginx
Printing system (CUPS) logs - /var/log/cups
Other Useful Logs
Some log files such as lastlog, wtmp may not be directly read by humans. The following is a brief explanation of what type of information these files contain and how you can view it.
The information held in /var/log/lastlog pertains to users and their most recent login to the Ubuntu server. You would need to use the lastlog command to access it as follows.
The var/log/wtmp file holds comprehensive login records.
Run the last command to display a list of last logged in users. You may also see information about system boot/reboot.
Run the who command to see who is currently logged in.
The w command shows you who is currently logged in and what they are doing on the Ubuntu server.
In this guide, we have briefly covered how to view standard log files on Ubuntu servers. This is not an exhaustive list but we hope that it gives you an idea of where to look.