The Linux system and many Linux based programs write their status messages into a log file. Read here about helpful commands under Linux to view and manage these files.
A typical area for the log files is in directory /var/log and in its sub-directories. By default the Apache HTTP web server stores its logs in directory /var/log/apache2.
There are many different logs available, depending on the software installed.
| auth.log | This log contains all login attempts, regardless if this attempt was directly on the server, via SSH or to get additional access by sudo. As soon as your system is available in the internet, you can expect that you will find entries in this log file reporting unauthorized attempts to obtain access to your server. |
| systemlog | Log of syslogd service. |
View log files with LESS
Less is the favourite tool to view and analyze log files from the command line. It displays the contents of a file or a command output, one page at a time.
When starting less doesn’t read the entire file which results in much faster load times compared to text editors like vim or nano.
less is a text viewer that can be used to view log files, too.
Format to start less:
less <logfilename>
Example:
less /var/log/syslog
The +F option tells less to watch the file contents for changes. This is useful when opening log files.
less +F /var/log/messages
You can also "follow" the updates of the log file by enter Shift+F. The display will be updated as soon as a new entry is added to the log file. To stop the "follow"-mode press Ctrl+C.
Under Ubuntu less can also handle gzip compressed files. This is quite handy as typically log files are compressed after a few days (see section about LOGROTATE below).
Navigating through the File Content
When opening a file which content is too large to fit in one page, you will see a single colon (:).
Use the arrow buttons to scroll up and down, and page up / page down to jump from page to page.
To go forward to the next page press either the f key or Space bar.
To move down for a specific number of lines, type the number followed by the space or f key.
You can press either the Down arrow or Enter to scroll forward by one line and Up arrow scroll backward by one line.
To go back to the previous page hit the b key. Move up for a specific number of lines, by typing the number followed by the b key.
If you want to search for a pattern, type forward slash (/) followed by the pattern you want to search. Once you hit Enter less will search forward for matches. To search backwards use (?) followed by the search pattern.
To search for a term enter slash followed by the search-term, i.e. /searchterm.
Then use n to jump to the next hit, or shift+n for the previous hit.
To search backwards use a question mark instead. That is: ?searchterm.
To quit less and go back to the command line press q.
To exit less, just press q.
For more details and commands for LESS refer to article LESS Command in Linux.
View most current log file entries with TAIL
tail shows the last few lines of a text file. It becomes quite handy if you just want to see the most current entries.
Format to start tail:
tail <logfilename>
Example:
tail /var/log/syslog
The parameter -n followed by a number determines how many lines from (the end) of the file will be shown:
tail -n 20 /var/log/syslog
shows the last 20 lines.
The parameter -f activates the "follow"-mode. It keeps tail active and shows the updates. When you combine parameters -f with -n 0 (i.e. 0 lines will be shown) only entries added to the log file after you started tail will be shown:
tail -f -n 0 /var/log/syslog
Enter Ctrl-C to end the follow mode.
View log files with Midnight Commander
When you have installed the file manager Midnight Commander (mc) on your system (Midnight Commander File Manager), you can use it to move into the directory, select the log file and press F3 to view the file. You can scroll up and down.
Filter entries with GREP
grep is a comprehensive tool to filter text and consider specific expressions. grep can be used in combination with other programs using "pipe".
Example 1:
tail -f -n 0 /var/log/syslog | grep CRON
Waits and displays a log entry that contains the term CRON.
Example2:
less /var/log/syslog | grep -E '(CRON|systemd)'
Uses less and shows all entries that contain CRON or systemd.
Log management with LOGROTATE
As many programs and services add their entries into log files, the system service logrotate manages these logs. Logrotate can be used to log, compress, or e-mail log files.
How logrotate manages the logs can easily be seen on the syslog example:
ls -al /var/log/syslog*
The first file syslog is the current syslog file. The file syslog.1 is the uncompressed previous version and the syslog.2.gz to syslog.7.gz are earlier syslog files from previous days. Older versions were deleted already.
This behaviour of logrotate is controlled by the files in directory /etc/logrotate.d.
