π Viewing Logs
Think of logs like your system's diary. Every event, error, or action gets written down so you can figure out what happenedβlike checking office CCTV or a meeting log after something goes wrong. There are two main ways to view logs in Linux: log files in /var/log/ and journalctl.
Exploring /var/log/ Files
/var/log/ is a directory where most system logs live.
Common log files:
- /var/log/syslog β general system messages (like office memos)
- /var/log/auth.log β login attempts and authentication events (security diary)
- /var/log/kern.log β kernel messages (low-level system operations)
- /var/log/dmesg β hardware messages from boot (hardware check records)
How to view logs:
# print entire file
# scroll through easily
# watch live updates in real-time
The tail -f command is like having a live CCTV feed for your system events.
Using journalctl
journalctl is for modern Linux systems (systemd) where logs are kept in a centralized binary journal.
# view all logs
# logs for ssh service only
# live updates like `tail -f`
# logs from last hour
Extra tip: You can combine filters, like journalctl -u nginx -p err to see only nginx errors.
Pro Tip
Logs are huge, so don't just scroll blindly. Use filters, timestamps, and service names to pinpoint problems quickly. Logs are your best friend for troubleshooting!
Real-life analogy
For /var/log/: Imagine a filing cabinet where every drawer stores a different type of record: security events, application logs, or system errors. For journalctl: Instead of separate notebooks for each log, all events are recorded in a master diary you can query efficiently. This gives you the "detective tools" to see what's happening inside your system at any moment.
