System logs are your Linux server’s story, telling you exactly what’s happening under the hood. From security incidents to system problems, logs help you catch and fix issues before they become disasters. Let’s walk through everything you need to know about managing Linux logs effectively.
This guide shows you the most useful commands and real-world tips for working with Linux logs. You’ll learn where to find important log files, how to read them efficiently, and what tools make log management easier.
Table of Contents
- Finding Your Way Around Linux Logs
- Must-Know Log Commands
- Smart Log Analysis
- Log Management Best Practices
- Keeping Logs Safe
- Fixing Common Problems
- Wrapping Up
Finding Your Way Around Linux Logs
Most Linux logs live in the /var/log directory. Here are the key files you’ll use most often:
/var/log/syslogor/var/log/messages: Where you’ll find general system logs/var/log/auth.logor/var/log/secure: Security and login records/var/log/dmesg: Boot-time messages/var/log/kern.log: Kernel events/var/log/apache2/or/var/log/httpd/: Web server activity
Must-Know Log Commands
Watch Logs in Real Time with tail
The tail command is perfect for seeing what’s happening right now:
# See the last 10 lines
tail /var/log/syslog
# Watch the file as it changes
tail -f /var/log/syslog
# Watch multiple files at once
tail -f /var/log/syslog /var/log/auth.log
Code language: PHP (php)Find What You Need with grep
Combine tail and grep to zero in on specific events:
# Look for errors as they happen
tail -f /var/log/syslog | grep "error"
# Search without worrying about case
tail -f /var/log/syslog | grep -i "failed"
# See what happened before and after
grep -C 3 "authentication failure" /var/log/auth.log
Code language: PHP (php)Master journalctl for Modern Systems
If your system uses systemd, journalctl is your friend:
# See everything
journalctl
# Check what SSH has been up to
journalctl -u ssh
# Look at logs since you started the system
journalctl -b
# See what happened in the last hour
journalctl --since "1 hour ago"
Code language: PHP (php)Smart Log Analysis
Process Logs with awk
awk helps you make sense of log patterns:
# Count how many failed passwords you've had
awk '/Failed password/ {count++} END {print count}' /var/log/auth.log
# Pull out just the parts you care about
awk '{print $1, $2, $5}' /var/log/syslog
Code language: PHP (php)Keep Your Logs Tidy with logrotate
Logrotate keeps your logs from eating up all your disk space. Here’s how to check on it:
# See how logrotate is set up
cat /etc/logrotate.conf
# Test your logrotate settings
logrotate -d /etc/logrotate.conf
Code language: PHP (php)Write Your Own Log Monitor
Here’s a simple script to watch for problems and let you know about them:
#!/bin/bash
LOG_FILE="/var/log/auth.log"
SEARCH_TERM="Failed password"
EMAIL="[email protected]"
tail -f "$LOG_FILE" | while read line
do
if echo "$line" | grep -q "$SEARCH_TERM"; then
echo "$line" | mail -s "Security Alert" "$EMAIL"
fi
done
Code language: PHP (php)Log Management Best Practices
Collecting Logs in One Place
If you’re running multiple servers, think about using:
- rsyslog to send logs to one place
- ELK Stack (Elasticsearch, Logstash, Kibana) for searching logs
- Graylog for a complete log management system
Setting Up Alerts
Make sure you know when something’s wrong:
- Figure out what events matter most
- Set up scripts or tools to watch for them
- Choose how you want to be notified (email, SMS, Slack)
- Plan who needs to know when problems happen
Regular Log Checks
Make a habit of checking your logs:
- Every day: Look for serious errors
- Every week: Check how your system’s doing
- Every month: See if you need more storage
Keeping Logs Safe
Setting the Right Permissions
Keep your logs secure:
# Set who can read logs
chmod 640 /var/log/syslog
chown syslog:adm /var/log/syslog
# Check your work
ls -l /var/log/syslog
Code language: PHP (php)Protecting Log Files
Make sure no one can mess with your logs:
- Make files append-only
- Save checksums of old logs
- Use special storage for important logs
Fixing Common Problems
When logs aren’t working right, check:
- Is the logging service running?
- Do you have enough disk space?
- Are the permissions correct?
- Is log rotation working?
Wrapping Up
Good log management makes the difference between catching problems early and dealing with disasters later. Start using these commands and tips, and you’ll have a much better handle on what’s happening on your systems.
Keep learning and adjusting how you handle logs as your needs change. The time you spend getting good at log management pays off every time you need to figure out what went wrong or prove what happened on your systems.
