How to Check Linux System Logs
Read and search Linux system logs using journalctl, tail, and the classic log files in /var/log — essential skills for diagnosing problems on any Linux system.
Where Linux Logs Live
Linux logs events in two main places: the systemd journal (accessed via journalctl) and traditional text files in /var/log/. Modern distros like Ubuntu use both; knowing each helps you find what you need faster.
journalctl — The systemd Journal
On systems using systemd (Ubuntu 16.04+, Debian 8+, RHEL 7+), journalctl is the primary log tool:
journalctl # all logs (oldest first)
journalctl -r # reverse order (newest first)
journalctl -n 50 # last 50 lines
journalctl -f # follow live (like tail -f)
journalctl -b # logs from current boot
journalctl -b -1 # logs from previous bootFilter by service
journalctl -u nginx # nginx logs
journalctl -u ssh --since today
journalctl -u postgresql -n 100Filter by time
journalctl --since "2024-06-01 10:00" --until "2024-06-01 11:00"
journalctl --since "1 hour ago"Filter by priority
journalctl -p err # errors only
journalctl -p warning # warnings and aboveClassic Log Files in /var/log/
Even on systemd systems, many apps write directly to files:
/var/log/syslog— general system log (Debian/Ubuntu)/var/log/messages— general log (RHEL/CentOS)/var/log/auth.log— authentication and sudo activity/var/log/kern.log— kernel messages/var/log/nginx/— Nginx access and error logs/var/log/mysql/— MySQL logs/var/log/dpkg.log— package install/remove history
Reading Log Files
tail -f /var/log/syslog # follow live
tail -n 100 /var/log/auth.log # last 100 lines
grep "Failed password" /var/log/auth.log # find failed SSH logins
less /var/log/nginx/error.logPractical Troubleshooting Example
# Service won't start? Check its log:
sudo journalctl -u myapp -n 50 --no-pager
# Something crashed at 3am? Look at the kernel log:
sudo journalctl -k --since "today 02:00" --until "today 04:00"
# Who logged in recently?
last
lastb # failed logins