Logs & Journald

Intermediate ⭐ 80 XP ⏱ 16 min #linux#logs#journald#troubleshooting

Find and read system and application logs to diagnose what went wrong.

📖Theory

Logs are your first stop when something breaks. Traditionally they live as text files in /var/log (syslog, auth.log, dmesg, plus app-specific files). On systemd machines, the journal centralizes logs and you query it with journalctl — filterable by service, time, and priority.

The skill is filtering: a busy system produces millions of lines, so you narrow by unit (-u), time (--since), and severity (-p err) to find the signal.

🌍Real-World Example

journalctl -u nginx --since "1 hour ago"   # one service, recent
journalctl -p err -b                        # errors from this boot
journalctl -f                               # follow everything live
journalctl --since "2026-06-22 09:00"       # from a timestamp

tail -n 100 /var/log/syslog                  # last 100 lines
grep -i "failed" /var/log/auth.log           # failed logins

✍️Hands-On Exercise

Show all error-priority messages from the current boot.
Follow a service’s logs live while you restart it.
Use grep to find failed SSH login attempts in /var/log/auth.log.
Filter the journal to the last 10 minutes for a single service.

🧾Cheat Sheet▾

Task	Command
Service logs	`journalctl -u svc`
Follow live	`journalctl -f`
Since time	`journalctl --since "1 hour ago"`
This boot only	`journalctl -b`
Errors only	`journalctl -p err`
Text log tail	`tail -f /var/log/syslog`
Kernel ring buffer	`dmesg`

💬Common Interview Questions▾

Where do logs live on a Linux system?

Traditional text logs are in /var/log (syslog, auth.log, etc.). On systemd systems the binary journal is queried with journalctl.

How do you filter the journal to one service since a given time?

journalctl -u <service> --since "2026-06-22 09:00", optionally adding -p err for errors or -f to follow.

📚Official Documentation

↗ journalctl manual

📝 My notes on this topic

Auto-saves as you type