Skip to main content
Learn how to find, inspect, and monitor Linux system logs to troubleshoot issues, audit user activity, and understand system behavior. This guide covers classic /var/log files, real‐time monitoring with tail, and querying the systemd Journal with journalctl.

Overview of Linux Logging

Linux servers record almost every event—kernel messages, application errors, authentication attempts, service activity—in plain‐text logs. A logging daemon (typically rsyslog) collects these messages and writes them to files under /var/log. You can then search, filter, and monitor these logs.

Listing Log Files in /var/log

To see available log files: 
ls /var/log/
Example output: 
anaconda           dnf.rpm.log       secure
audit              firewalld         secure-20211026
boot.log           gdm               spooler
...                ...               ...

Common Log Files

FileDescription
/var/log/secureSSH authentication, sudo and PAM messages
/var/log/messagesGeneral system messages and kernel events
/var/log/boot.logBoot sequence messages
/var/log/auditAudit framework records
/var/log/dnf.rpm.logPackage installation and update history

Inspecting Logs as Root

Most files in /var/log are only readable by root:
Use sudo or su to become root before inspecting logs:
sudo --login
# or
su -

Finding SSH Logs

To locate where SSH events are recorded, search all files for “ssh”: 
grep -R "ssh" /var/log/
You’ll find entries in /var/log/secure. View it with: 
less /var/log/secure
Log format typically includes:
  • Date and time
  • Hostname
  • Process name and ID
  • Descriptive message

Live Monitoring with tail

Watch new log entries in real time with: 
tail -F /var/log/secure
Press Ctrl+C to exit follow mode.

Querying the systemd Journal with journalctl

Modern Linux distros use the systemd Journal. journalctl provides powerful querying options.

Filter by Command

which sudo
journalctl /bin/sudo

Filter by Service Unit

journalctl -u sshd.service

Jump to End or Follow

CommandDescription
journalctlShow all journal entries
journalctl -eJump to end of logs
journalctl -fFollow new entries (like tail)
By default, systemd Journal logs are stored in memory and cleared on reboot.
To enable persistent storage:
sudo mkdir -p /var/log/journal
sudo systemctl restart systemd-journald

Filtering Journal Entries

By Priority

Show errors and above: 
journalctl -p err

By Content

Use grep‐style patterns: 
journalctl -p info -g '^B'

By Time

FilterExample
Since a specific timejournalctl -S 02:00
Between two timestampsjournalctl -S '2021-11-16 01:00' -U '2021-11-16 02:00'
Current or previous boot logsjournalctl -b 0 / journalctl -b -1

Login History with last and lastlog

  • last: Shows recent logins, reboots, and shutdowns.
last
  • lastlog: Lists the most recent login for each user.
lastlog
CommandPurpose
lastDisplay recent logins and reboots
lastlogShow last login per user

Learn More

Watch Video

Practice Lab