Download ArticleDownload ArticleThis article was co-authored by How.com.vn staff writer, Nicole Levine, MFA. Nicole Levine is a Technology Writer and Editor for How.com.vn. She has more than 20 years of experience creating technical documentation and leading support teams at major web hosting and software companies. Nicole also holds an MFA in Creative Writing from Portland State University and teaches composition, fiction-writing, and zine-making at various institutions.
The How.com.vn Tech Team also followed the article's instructions and verified that they work.
This article has been viewed 33,909 times.
Learn more...
This How.com.vn teaches you where to find the most essential logs on popular Unix operating systems. The default logging location on all versions of Linux, as well as FreeBSD, is /var/log, but the actual log names vary by system. If you're using Solaris, your logs are in /var/adm. Most logs are flat text files you can view with cat, more, tail, or by opening in a text editor—however, logs like dmesg (which contains kernel ring buffer info) and lastlog (which shows user login info) are viewed by running specific commands.
Finding Logs in Unix on Linux
Find your logs by opening the shell prompt and navigating to /var/log. Learn about the common logs such as authentication, startup messages, and background services. There are a few commands you can use to get more info about a log. For example, view the entire content of a log by using the ‘cat’ command.
Steps
Press Ctrl+Alt+T. This opens the shell prompt.
Type cd /var/log and press ↵ Enter. This takes you to /var/log, the location of your Linux log files.- If you're using Solaris, your logs are located in /var/adm.
Advertisement
Type ls -a and press ↵ Enter. This displays a list of all files in the directory.
Learn the common logs. The logs you'll find depend on a number of factors, including the version of Linux you're running and the software and services you use. Here's an overview of the most common log files (if you're using Solaris, just replace /var/log with /var/adm):- /var/log/auth.log: Authentication logs (both successful and failed attempts) on Debian/Ubuntu Linux and FreeBSD.[1]
- Solaris users will use /var/adm/authlog.[2]
- /var/log/boot.log: Startup messages and boot info.
- /var/log/cron: All cron-related messages for most Unix versions.
- If you're using Solaris, your cron log is at /var/cron/log.
- /var/log/daemon.log: Running background services.
- /var/log/dmesg: Device driver messages. This is a binary file, not a text file—to view this log you'll need to use the dmesg command.
- /var/log/faillog: Failed logins only.
- /var/log/httpd or /var/log/apache2: Apache web server logs.
- /var/log/maillog or var/log/mail.log: Mail server info.
- /var/log/lastlog: Shows all users' last logins. This is a binary file, not a text file—to view this log you'll need to use the lastlog command.
- /var/log/messages: General system messages for Solaris and FreeBSD, as well as the Linux versions Fedora, RedHat, and CentOS:[3]
- /var/log/secure: Authentication logs (successful and failed attempts) for RedHat/CentOS.
- /var/log/syslog: General system messages for Ubuntu Linux, Linux Mint, and Debian Linux-based systems. If you're using Solaris, this is where you'll find mail-related messages.
- /var/log/utmp: Current login states for each user.
- /var/log/wtmp: User login and logout times.
- /var/log/auth.log: Authentication logs (both successful and failed attempts) on Debian/Ubuntu Linux and FreeBSD.[1]
Use the cat command to view all contents of a log. As long as the log is a flat text file, you can run cat logname to view the entire log.- If you don't already have root access, use sudo before each command.
Use more to view a log's contents screen-by-screen. Since many of these logs can get large, cat might be frustrating to use. If you want to view the log screen-by-screen, try more logname instead so you can page through the log screen-by-screen.- Use the Enter key to scroll one line at a time, or the Spacebar to scroll one screen at a time.
- To go back, press b. To return to the prompt, press q.
Use the tail -f to view a log in real time. This displays a live version of the log that constantly updates as new items write to it. For example, if you're having trouble with Apache, it may be helpful to run tail -f /var/log/httpd and leave it open in a terminal window while you troubleshoot.- If you just want to view the end of the log but don't care whether it updates in real time, run tail -20 /var/log/httpd to view its last 20 lines. You could replace "20" with any number of lines from the bottom you want to see.
- You can also parse what you see with tail (or pretty much any other command) by piping it out to grep. For example, tail -f /var/log/auth.log | grep 'Invalid user' will display all invalid
- "Piping out" a command means redirecting the output to another command. Basically, it lets you use two or more commands at once.
Use vi to open the log. You can use any text editor, such as vi or vim to open most logs for viewing. To do so, just use vi /var/log/auth.log (or the desired log name). You can then freely navigate through the log as needed, as well as use the editor's search tools. In vi and vim, you can search for strings of text using a forward slash in command mode.- For example, typing /smtp and pressing Enter will find the next instance of "smtp" in the file. Press n to move to the next instance of the search string, or N (uppercase) to go back to the previous.
Use dmesg to view messages from the kernel. When you want to view /var/log/dmesg, you'll need to use this command.[4]- To move through the log screen by screen, run dmesg | more.
- Use dmesg with grep to search for specific entries. For example, to view only hard disk entries, run dmesg | grep -i sda.
- -i tells grep to ignore the case.
- To see just the first 10 lines of the log, run dmesg | head -10. Replace "10" with the number of lines from the top of the file you want to see. To do the same with the end of the file, run dmesg | tail -10.
Use lastlog to view the last login dates for each user. /var/log/lastlog, like /var/log/dmesg, is a binary file that requires the use of a command for viewing. You can just type lastlog and press Enter to view the log, or pipe it out (| = pipe) for easier viewing—for example, lastlog | more lets you read the log screen-by-screen, and lastlog | grep root would only display root login info.
Expert Q&A
Tips
References
About This Article
1.Find your Linux logs in /var/log.
2.Use cat to display the entirety of a log file.
3.Use tail to see just the last lines.
4.Use vi to open a log in a text editor.
5.Use dmesg to view the contents of /var/log/dmesg.
6.Use lastlog to view the contents of /var/log/lastlog.
Is this article up to date?
⚠️ Disclaimer:
Content from Wiki How English language website. Text is available under the Creative Commons Attribution-Share Alike License; additional terms may apply.
Wiki How does not encourage the violation of any laws, and cannot be responsible for any violations of such laws, should you link to this domain, or use, reproduce, or republish the information contained herein.
- - A few of these subjects are frequently censored by educational, governmental, corporate, parental and other filtering schemes.
- - Some articles may contain names, images, artworks or descriptions of events that some cultures restrict access to
- - Please note: Wiki How does not give you opinion about the law, or advice about medical. If you need specific advice (for example, medical, legal, financial or risk management), please seek a professional who is licensed or knowledgeable in that area.
- - Readers should not judge the importance of topics based on their coverage on Wiki How, nor think a topic is important just because it is the subject of a Wiki article.
