The Linux system and many Linux based programs write their status messages into a log file. Read here about helpful commands under Linux to view and manage these files.

A typical area for the log files is in directory /var/log and in its sub-directories. By default the Apache HTTP web server stores its logs in directory /var/log/apache2.

There are many different logs available, depending on the software installed.

auth.log This log contains all login attempts, regardless if this attempt was directly on the server, via SSH or to get additional access by sudo.
As soon as your system is available in the internet, you can expect that you will find entries in this log file reporting unauthorized attempts to obtain access to your server.
systemlog Log of syslogd service.

View log files with Midnight Commander

When you have installed the file manager Midnight Commander (mc) on your system (Midnight Commander File Manager), you can use it to move into the directory, select the log file and press F3 to view the file. You can scroll up and down.

View log files with LESS

less is a text viewer that can be used to view log files, too.

Format to start less:

less <logfilename>


less /var/log/syslog

Use the arrow buttons to scroll up and down, and page up / page down to jump from page to page.

To exit less, just press q.

To search for a term enter slash followed by the search-term, i.e. /searchterm.

Then use n to jump to the next hit, or shift+n for the previous hit.

To search backwards use a question mark instead. That is: ?searchterm.

You can also "follow" the updates of the log file by enter Shift+F. The display will be updated as soon as a new entry is added to the log file. To stop the "follow"-mode press Ctrl+C.

Under Ubuntu less can also handle gzip compressed files. This is quite handy as typically log files are compressed after a few days (see section about LOGROTATE below).

View most current log file entries with TAIL

tail shows the last few lines of a text file. It becomes quite handy if you just want to see the most current entries.

Format to start tail:

tail <logfilename>


tail /var/log/syslog

The parameter -n followed by a number determines how many lines from (the end) of the file will be shown:

tail -n 20 /var/log/syslog

shows the last 20 lines. 

The parameter -f activates the "follow"-mode. It keeps tail active and shows the updates. When you combine parameters -f with -n 0 (i.e. 0 lines will be shown) only entries added to the log file after you started tail will be shown:

tail -f -n 0 /var/log/syslog

Enter Ctrl-C to end the follow mode.

Filter entries with GREP

grep is a comprehensive tool to filter text and consider specific expressions. grep can be used in combination with other programs using "pipe".

Example 1:

tail -f -n 0 /var/log/syslog | grep CRON

Waits and displays a log entry that contains the term CRON.


less /var/log/syslog | grep -E '(CRON|systemd)'

Uses less and shows all entries that contain CRON or systemd.

Log management with LOGROTATE

As many programs and services add their entries into log files, the system service logrotate manages these logs. Logrotate can be used to log, compress, or e-mail log files.

How logrotate manages the logs can easily be seen on the syslog example:

ls -al /var/log/syslog*

The first file syslog is the current syslog file. The file syslog.1 is the uncompressed previous version and the syslog.2.gz to syslog.7.gz are earlier syslog files from previous days. Older versions were deleted already.

This behaviour of logrotate is controlled by the files in directory  /etc/logrotate.d.