Essential Linux Log Files and How to Read Them

By Admin · Feb 25, 2026 · Updated Apr 25, 2026 · 39 views · 2 min read

Important Log Files

Log File	Contents
`/var/log/syslog`	General system messages (Ubuntu/Debian)
`/var/log/messages`	General system messages (RHEL/Rocky)
`/var/log/auth.log`	Authentication events (logins, sudo)
`/var/log/kern.log`	Kernel messages
`/var/log/nginx/`	Nginx access and error logs
`/var/log/apache2/`	Apache access and error logs
`/var/log/mysql/`	MySQL/MariaDB logs
`/var/log/fail2ban.log`	Fail2Ban actions

Using journalctl (systemd)

# View all logs
journalctl

# Follow logs in real-time
journalctl -f

# Logs for a specific service
journalctl -u nginx

# Logs since last boot
journalctl -b

# Logs from a time range
journalctl --since "2026-02-25 10:00" --until "2026-02-25 12:00"

# Show only errors and above
journalctl -p err

# Disk usage of journal
journalctl --disk-usage

Reading Logs Efficiently

# Follow a log file in real-time
tail -f /var/log/syslog

# Show last 50 lines
tail -n 50 /var/log/auth.log

# Search for patterns
grep "Failed password" /var/log/auth.log
grep -i "error" /var/log/syslog | tail -20

# Count occurrences
grep -c "Failed password" /var/log/auth.log

Log Rotation

Logs are automatically rotated by logrotate to prevent disk space issues. Configuration is in /etc/logrotate.d/:

/var/log/nginx/*.log {
    daily
    missingok
    rotate 14
    compress
    delaycompress
    notifempty
    sharedscripts
    postrotate
        systemctl reload nginx > /dev/null 2>&1 || true
    endscript
}

Centralized Logging

For multiple servers, consider shipping logs to a central location using rsyslog, Promtail + Loki, or the ELK stack (Elasticsearch, Logstash, Kibana).