An Introduction to Linux Log Files

Get valuable information to debug your Linux system

Graphic image of computer code with bands of blue and purple color

Negative Space / Pexels / CC0

A log file, as you may well have guessed, provides a timeline of events for the Linux operating system, applications, and services.

The files are stored in plain text to make them easy to read. This guide provides an overview of where to find the log files, highlights a few of the key logs and explains how to read them.

Where Can You Find Linux Log Files

Linux log files are normally stored in the folder /var/log.

The folder will contain a large number of files and you can get information for each application.

Linux log folder

For example when the ls command is run in a sample /var/log folder here are a few of the logs available.

  • kern.log
  • auth.log
  • bootstrap.log
  • alternatives.log
  • samba
  • cups
  • lightdm

The last three in that list are folders but they have log files within the folders.

As the log files are in plain text format you can read them by typing the following command:

nano <logfilename>

The above command opens the log file in an editor called nano. If the log file is small in size then it is ok to open the log file in an editor but if the log file is large then you are probably only interested in reading the tail end of the log.

The tail command lets you read the last few lines in a file as follows:

tail <logfilename>

You can specify how many lines to show with the -n switch as follows:

tail -n <logfilename>

Of course, if you want to see the beginning of the file you can use the head command.

Key System Logs

The following log files are the main ones to look out for within Linux.

  • Authorization Log
  • Daemon Log
  • Debug Log
  • Kernel Log
  • System Log

The authorization log (auth.log) tracks use of the authorization systems which control user access. 

The daemon log (daemon.log) tracks services that run in the background which perform important tasks. Daemons tend to have no graphical output.

The debug log provides debug output for applications.

The kernel log provides details about the Linux kernel.

The system log contains the most information about your system and if your application doesn't have its own log the entries will probably be in this log file.

Analyzing the Contents of a Log File

The image below shows the contents of the last 50 files within my system log file (syslog).

Linux log syslog

Each line in the log contains the following information:

For instance, one line in the syslog file is as follows:

jan 20 12:28:56 gary-virtualbox systemd[1]: starting cups scheduler

This tells you that the cups scheduling service has been started at 12.28 on the 20th of January. 

Rotating Logs

Log files rotate periodically so that they don't get too big.

The log rotate utility is responsible for rotating log files. You can tell when a log has been rotated because it will be followed by a number such as auth.log.1, auth.log.2.

It is possible to change the frequency of log rotation by editing the file /etc/logrotate.conf.

The following shows a sample from my logrotate.conf file:

#rotate log files
#keep 4 weeks worth of log files
rotate 4
#create new log files after rotating
Linux logrotate configuration

As you can see, these log files rotate every week, and there are four weeks worth of log files kept at any point in time.

When a log file rotates a new one is created in its place.

Each application can have its own rotation policy. This is obviously useful because the syslog file is going to grow more rapidly than the cups log file.

The rotation policies are kept in /etc/logrotate.d. Each application that requires its own rotation policy will have a configuration file in this folder.

For example, the tool apt has a file in the logrotate.d folder as follows:

/var/log/apt/history.log {
rotate 12

Basically, this log tells you the following. The log will keep 12 weeks worth of log files and rotates every month (one per month). The log file will be compressed. If no messages are written to a log (i.e it is empty) then this is acceptable. The log will not rotate if it is empty.

To amend the policy of a file edit the file with the settings you require and then run the following command:

logrotate -f