Imagine your Linux system is a massive, complex machine. When something goes wrong—a service won’t start, a login fails, or the system crashes—the machine doesn’t just go silent. It writes down exactly what happened in a “diary” called a Log.
In 2026, understanding how to read and manage these logs is the difference between a frustrated user and a Linux expert. Whether you’re managing a VPS or troubleshooting your desktop distro, this guide will show you exactly where to find the answers you need.
The Two Faces of Linux Logging
Modern Linux systems use two different systems for recording data. Think of them as the “Old School” and “New School” methods.
1. Traditional Syslog (Text Files)
For decades, Linux has stored logs as plain text files in the /var/log directory. You can read these files with standard tools like cat or less.
- Where to find them: Our guide on the Linux Filesystem Hierarchy explains why
/var/logis the designated home for this data.
2. The systemd Journal (Binary Data)
Modern systems (running systemd) also use a centralized, binary-format log called the Journal. This is faster and more powerful than text files, but you need a specific tool—journalctl—to read it.
The /var/log Map: Where to Look First
If you’re looking for a specific issue, here is the “cheat sheet” of where the most important files live:
| Log File | What it Records |
|---|---|
/var/log/syslog | The “Master Log.” Almost everything is recorded here. |
/var/log/auth.log | Security and authentication (logins, sudo attempts). |
/var/log/kern.log | Kernel-level messages (hardware errors, drivers). |
/var/log/apache2/ | Web server logs (if you use Apache). |
/var/log/nginx/ | Web server logs (if you use Nginx). |
/var/log/audit/ | Detailed security auditing (SELinux/AppArmor). |
Mastering journalctl: The Modern Way
Since almost all major distros use systemd now, journalctl is your most powerful tool. Here are the commands you’ll use 90% of the time:
- View everything (most recent first):
sudo journalctl -r - View logs for a specific service:
sudo journalctl -u nginx - View logs from the current boot only:
sudo journalctl -b - View real-time logs (as they happen):
sudo journalctl -f - Filter by importance (Errors only):
sudo journalctl -p err
Essential CLI Tools for Log Analysis
When you’re dealing with text-based logs in /var/log, these three commands are essential:
1. tail -f (The Live Monitor)
Want to watch your security logs as you try to log in? Use tail -f. It keeps the file open and updates the screen every time a new line is written.
sudo tail -f /var/log/auth.log2. grep (The Searcher)
Searching through a 100MB log file manually is impossible. grep lets you find exactly what you’re looking for.
sudo grep "Failed password" /var/log/auth.log3. less (The Paged Reader)
less is better than cat for logs because it allows you to scroll up and down and search (by pressing /) without filling your entire terminal screen.
sudo less /var/log/syslogMaintenance: The Role of logrotate
Logs can grow very quickly, especially on a busy server. If left alone, they could fill up your entire hard drive. Linux uses a tool called logrotate to prevent this.
Logrotate automatically:
- Rotates the current log (renames
syslogtosyslog.1). - Compresses old logs to save space (
syslog.2.gz). - Deletes logs that are too old (e.g., older than 30 days).
Conclusion
Linux logs aren’t just for experts; they are the most valuable resource for anyone learning the system. The next time something feels “broken,” don’t guess—check the logs.
Ready to dive deeper into system internals? Now that you know how to read the logs, learn how to manage the services creating those logs, or explore the Linux Boot Process to see where the very first log entries come from!
Discussion
Loading comments...