An Introduction to Linux Log Files

Get valuable information to debug your Linux system

Graphic image of computer code with bands of blue and purple color

Negative Space / Pexels / CC0

A log file provides a timeline of events for the Linux operating system, applications, and services. The files are stored in plain text to make them easy to read.

Where Can You Find Linux Log Files?

Linux log folder

Linux log files are normally stored in the folder /var/log. The folder contains a large number of files offering detailed information for each application.

How Can I Open .LOG Files?

Because log files are in plain-text format, read them using any text editor. Most distributions offer nano, which offers an easy-to-use interface:

nano <logfilename>

If the log file is small in size then it's okay to open the log file in an editor but if the log file is large then you are probably only interested in reading the tail end of the log. The tail command displays the last few lines in a file. Specify how many lines to show with the -n switch (specifying the number of lines) as follows:

tail -n x <logfilename>

To see the beginning of the file, use the head command.

Very large logs are usually compressed. You'll see them in /var/log with a .GZ suffix. To view the log, unzip the archive using the utility of your choice.

Key System Logs

The following log files are the main ones to look for within Linux.

  • Authorization: Tracks use of the authorization systems that control user access.
  • Daemon: Tracks services that run in the background performing important tasks. Daemons tend to have no graphical output, so you'll need to read the logfile to understand the daemon's performance.
  • Debug: Provides debug output for applications.
  • Kernel: Shows information about the kernel, including errors.
  • System: Contains the most information about your system; if your application doesn't have its own log the entries will probably be in this log file.

Analyzing the Contents of a Log File

The image below shows the contents of the last 50 files within a system log file (syslog).

Linux log syslog

Each line in the log contains the following information:

For instance, one line in the syslog file is as follows:

jan 20 12:28:56 gary-virtualbox systemd[1]: starting cups scheduler

This tells you that the cups scheduling service has been started at 12.28 on the 20th of January. 

Rotating Logs

Log files rotate periodically so that they don't get too big.

The log rotate utility is responsible for rotating log files. You can tell when a log has been rotated because it will be followed by a number such as auth.log.1, auth.log.2.

It is possible to change the frequency of log rotation by editing the file /etc/logrotate.conf.

The following shows a sample from a logrotate.conf file:

#rotate log files
weekly
#keep 4 weeks worth of log files
rotate 4
#create new log files after rotating
create
Linux logrotate configuration

These log files rotate every week, and there are four weeks worth of log files kept at any point in time. When a log file rotates a new one is created in its place.

Each application can have its own rotation policy. The rotation policies are kept in /etc/logrotate.d. Each application that requires its own rotation policy will have a configuration file in this folder.

For example, the tool apt has a file in the logrotate.d folder as follows:

/var/log/apt/history.log {
rotate 12
monthly
compress
missingok
notifempty
}

Basically, this log tells you the following: The log will keep 12 weeks worth of log files and rotates every month (one per month). The log file will be compressed. If no messages are written to a log (i.e it is empty) then this is acceptable. The log will not rotate if it is empty.

To amend the policy of a file, edit the file with the settings you require and then run the following command:

logrotate -f