Linux Mint – Perusing system logs

File Management Commands in Linux

As your Linux system runs, it captures logs of basically everything that goes on. You’d be surprised to know how much information Linux keeps in its logs, everything from logins, website look-ups, and even when USB devices are inserted and/or removed. This is great considering that if you run into problems, chances are that something in the logs may help you pinpoint where the error originated. This is especially true if an error shows up while booting but goes away quickly before you have a chance to read it.

Logs are kept in the /var/log directory. If you navigate to this directory and then list its storage, you’ll see quite a few logfiles, each with their own purpose. The logfiles contained in this directory of interest in regards to troubleshooting include kern.log, dmesg, auth.log, boot.log, and syslog (these are explained later in this section). To read a log, type the cat command followed by the name of the log. Depending on the permissions of the log, you may need to use sudo, so keep this in mind in case you receive a permissions error when attempting to read a log.

Note

When you use the cat command against a logfile, the content of the logfile will fly across your screen. This is fine if the log is small, but larger logs can be so large that not everything will fit on your screen. The less command, when used with cat, can make things much easier to read. Basically, you can pipe your command into the less command. This allows you to scroll the output by pressing Enter, so you can read at your own pace. Press Q on your keyboard to return to the prompt. Consider the following command line for an example of how to pipe the contents of a logfile into the less command:


cat /var/log/syslog | less

The most important tip when perusing logs is the use of the grep command, which is basically essential here. Many Linux logfiles become quite large, and scrolling through them line by line or even by page may take you a while. If you have an idea of what you’re looking for, you can use grep with the output of the cat command.

For example, say you are having an issue with your network card, which is established as eth0. To see messages specifically related to eth0 contained in the syslog, consider the following command line:


cat /var/log/syslog | grep eth0

The same logic can be applied to any logfile. If you generally know which component is responsible for your issue and you want to see pertinent information specific to that hardware, you simply use the cat command to display the logfile, but pipe the output into grep with a keyword so that you’ll see anything that includes that keyword. The same logic can even be used when auditing security. For example, consider the auth.log file, which keeps the records of sessions as they are opened and closed. If you were searching for entries containing a specific username, you could type the following command line:


cat /var/log/auth.log | grep jdoe

The following are some specific logs to consider:

  • kern.log: This contains messages specific to the kernel. This is a great place to start your search if you’re having trouble with a piece of hardware.
  • dmesg: This log isn’t really a log at all, though you can use it as if it were one. It’s actually a utility, and the dmesg command is recognized by the Linux shell even outside of the /var/log directory. The information that dmesg provides is useful for diagnosing hardware as well as errors during the boot process.
  • auth.log: This log answers questions such as “Who is logging in to your system” and “Who has attempted to use sudo or access the root account”. In corporate environments, it may be useful to periodically peruse this log to see if any suspicious activity is occurring.
  • boot.log: If you see an error flash by on your screen while booting, but it goes away so fast that you can’t read it, the boot.log file is useful, because it contains boot messages.
  • syslog: This file contains a wealth of information. If you face a problem, this is a good log for you to look through.

Another useful trick to have at your disposal is the tail command. With tail, you can view the tail end of the file. By default, the tail command will show you the last ten lines of a file. The tail command is used in the following manner:


tail /var/log/syslog

However, you’re able to view a different number of the last lines using the -n option. For example, to view the last 25 lines of the syslog file, you can type the following command line:


tail -n 25 /var/log/syslog

From here, tail only gets more awesome. The tail command also features a follow mode, which continuously scrolls a file as it grows. You can use the follow mode with the -f option as shown in the following command line. As the logfile grows with more information, your terminal will be updated, allowing you to watch a logfile in almost real time as it gets updated (press Ctrl + C to stop):


tail -f /var/log/syslog

While administering Linux machines, the tail command’s follow mode can be indispensable. While troubleshooting an issue, you can watch a logfile with tail and try to reproduce the issue at the same time, watching the logfile react to your actions. To see this in action, try executing the following command, and while it is running, insert and remove a flash drive or network cable:


tail -f /var/log/dmesg

Note

The head command is very similar to tail, although it defaults to showing you the first 25 lines of a text file instead of the last 25.

Comments are closed.