Logging is one of the most important things in an Operating system, and Linux is no exception. Everything from kernel events to user actions are logged by Linux, allowing you to see almost any action performed on your servers. In this section, we’ll explain what Linux logs are, where you can find them, and how to interpret them. Logs in Linux are simple, if you want an eagle eye on your apps, Install sentry.

Linux has a special directory for storing logs called /var/log. This directory contains logs from the OS itself, services, and various applications running on the system. Here’s what this directory looks like on a typical Ubuntu system

Some of the most important Linux system logs include:

  • /var/log/syslog and /var/log/messages store all global system activity data, including startup messages. Debian-based systems like Ubuntu store this in /var/log/syslog, while Red Hat-based systems like RHEL or CentOS use /var/log/messages.
  • /var/log/auth.log and /var/log/secure store all security-related events such as logins, root user actions, and output from pluggable authentication modules (PAM). Ubuntu and Debian use /var/log/auth.log, while Red Hat and CentOS use /var/log/secure.
  • /var/log/kern.log stores kernel events, errors, and warning logs, which are particularly helpful for troubleshooting custom kernels.
  • /var/log/cron stores information about scheduled tasks (cron jobs). Use this data to verify that your cron jobs are running successfully.

Some applications also write log files in this directory. For example, the Apache web server writes logs to the /var/log/apache2 directory (on Debian), while MySQL writes logs to the /var/log/mysql directory. Some applications also log via syslog, which we’ll explain in the next section.

What’s Syslog?

Syslog is a standard for creating and transmitting logs. The word “syslog” can refer to any of the following.

  1. The Syslog service, which receives and processes Syslog messages. It listens for events by creating a socket located at /dev/log, which applications can write to. It can write messages to a local file or forward messages to a remote server. There are different Syslog implementations including rsyslogd and Syslog-ng.
  2. The Syslog protocol (RFC 5424), which is a transport protocol that specifies how to transmit logs over a network. It is also a data format defining how messages are structured. By default, it uses port 514 for plaintext messages and port 6514 for encrypted messages.
  3. A Syslog message, which is any log formatted in the Syslog message format. A Syslog message consists of a standardized header and message containing the log’s contents

syslog is the most important systemlog.

Let’s see how to view concurrent/Live logs of a systemd unit.

$ sudo systemctl -f -u unitname.service

watch last N number of logs.

$ sudo systemctl -n 200 unitname.service
journalctl --unit=unitname.service | tail -n 200