So, if there is some problem with my computer, be it hardware or software, what are the major log files and where are they located?
Also, is there a generic location where log files of the other packages might be located?
3 Answers 3
All log files are located in /var/log directory. In that directory, there are specific files for each type of logs. For example, system logs, such as kernel activities are logged in syslog file.
Some of the most common log files in that directory is :
In directory apt there is a file history.log which saves all the package installation and removal information even the initial system build as Live CD. You can open this file to see this very interesting file.
In directory dist-upgrade there is a file apt.log which logs the information during distribution upgrades
In directory installer the log files which are created during installation can be found.
There is an apport.log file which saves information about crashes in your system and reporting them.
The file auth.log includes information about the authentication activities such as when you authenticate as root user via sudo.
The file dpkg.log saves the low level details of package installation and removal related with dpkg . You might be aware that the apt system depends on dpkg for package installation and removal.
boot.log includes information of each booting.
kern.log saves kernel information such as warnings, errors etc.
alternatives.log includes the history of all the alternatives set by various packages and their removal via update-alternatives command.
Another important log file is Xorg.log which include information about the graphics driver, its failures, warnings etc.
Some other types of Log files may be there depending on your installed packages. For example, My system also includes a log files epoptes.log which will only be there if you install epoptes package.
Changes after systemd
With the advent of systemd , logging is mostly handled by journalctl utility and store the logs in binary format in /var/lib/systemd/catalog/database file. This file enumerates all logs including kernel, boot and application logs and provides required logs via journalctl utility.
Here is a good article on journalctl on how you can use it to fetch required log info.
In the screenshot below most of the important logs from /var/log are shown. In that location there are often other folders from other applications such as samba or apache2 if you have it installed.
To watch a log in real time you can use gnome-system-log or, for example, use
All logs can be analysed more easily either with the filter option in gnome-system-log or by using grep to search for a particular term. For example, if I wanted to find references to my SiS hardware, I could enter:
Most of the logs in the screenshot are self-explanatory, however, here’s a few quick notes:
A Linux Administrator should be able to read and understand the various types of messages generated by all Linux systems to troubleshoot an issue. These messages, named logs, are initiated by Linux and the applications running on it. Linux continuously creates, stores, and recycles these logs through various configuration files, programs, commands, and daemons. If you know how to read these files and make optimal use of the various commands we will mention in this tutorial, you can troubleshoot your issues like a pro!
It is important to note that Linux keeps its log files in the /var/log directory in text format.
Viewing System Logs on Ubuntu
To reach the core of an issue, or to see if your application or system is behaving in the desired manner, you can view the system log files either graphically or through the command line in the following ways:
- Gnome Logs utility (Graphic)
- Log File Viewer utility (Graphic)
- Linux Terminal (Command Line)
View Log Files Through Gnome Logs
‘Logs’ is the default utility that comes with the latest versions of Ubuntu e.g., Ubuntu 20.04 LTS (Focal Fossa). To access it,
Type Logs in the Ubuntu dash:
You will be able to see the Logs utility open, with the option to view logs for Applications, System, Security and Hardware.
Click on the System tab to view system logs:
Here you can view all the system logs along with the time they were generated. You can perform the following actions through this window:
- Display the contents of a log by clicking on it.
- Search for a log by clicking the search icon and then providing keywords in the search bar. The search bar also offers several filters that you can apply to exactly specify What(Select a Journal field to filter the logs according to it) and When(Select the timestamp range of the log entries to be shown) you want to see:
- You can also export logs to a file by clicking the export button located at the top right corner of the Logs window. You can then save the log file by specifying a name and location.
Through Log File Viewer
The Log File Viewer is the default utility that comes with the older versions of Ubuntu. If your edition of Ubuntu does not have this application by default, you can download and install it through Ubuntu Software.
To access the Log File Viewer:
- Enter Log Viewer in Ubuntu Dash
- If you have installed this program through Ubuntu Software, you can launch it by searching for it in the Ubuntu Software as follows and then clicking the Launch button:
The Log File Viewer will appear as follows:
The left panel of the window shows several default log categories and the right panel shows a list of logs for the selected category.
Click on the Syslog tab to view system logs. You can search for a specific log by using ctrl+F control and then enter the keyword. When a new log event is generated, it is automatically added to the list of logs and you can see it in bolded form. You can also filter your logs through the Filters menu located in the top menu bar.
To view a log for a specific application, click the Open option from the File menu. The following Open Log window will open for you to choose the log from:
Click on a log file and click Open. You will now be able to see logs from the selected log file in the Log File Viewer.
View Log Files Through the Terminal
You can also view system logs through the command line, i.e., the Ubuntu Terminal.
Open the Terminal and enter the following command:
This command fetches all the messages from the kernel’s buffer. You can see the output as follows:
You will see that this is a lot of information. This information will only be useful if we apply some filters to view what we want to see.
Customizing dmesg output
- To see messages at your own pace, use the following command:
This command will display only a specific number of messages per screen. You can press Enter to move to the next message or press Q to exit the command.
- To search for a message that contains a specific keyword, use the following command:
For example, if you want to search for all the messages containing the word core, you can use the following command:
The Terminal will now display only those messages containing the word “core” in red color.
Open a Log File with cat Command
The dmesg command opens all the logs from the /var/log directory. To open the logfile from some other location, use the following command:
This command will print logs from the syslog file to the screen. Again, you will observe that this command prints all the information and is not easy to skim through. Here again, you can use the ‘grep’ and ‘less’ filters to display the desired output as follows:
Writing To the System Log
Sometimes we need to write custom messages to our system log during the troubleshooting process. Both the Gnome Log and the Log File Viewer programs are built to display a customized message that you can write through the Terminal.
Open the Ubuntu Terminal and type the following command:
At the end of the above log list, you can see the custom log message displayed in the graphical log file viewer.
You can also use the logger command within a script for providing additional information. In that case, please use the following command within your script:
By practicing along with this tutorial, you can learn to troubleshoot your system and application issues by accessing and understanding system logs.
- ← Add and Manage User Accounts in Ubuntu 20.04 LTS
- How to Install and Configure Git on Ubuntu 20.04 →
About the Author: Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. You can reach Karim on LinkedIn
There are many different log files that all serve different purposes. When trying to find a log about something, you should start by identifying the most relevant file. Below is a list of common log file locations.
System logs deal with exactly that – the Ubuntu system – as opposed to extra applications added by the user. These logs may contain information about authorizations, system daemons and system messages.
Keeps track of authorization systems, such as password prompts, the sudo command and remote logins.
Daemons are programs that run in the background, usually without user interaction. For example, display server, SSH sessions, printing services, bluetooth, and more.
Provides debugging information from the Ubuntu system and applications.
Logs from the Linux kernel.
Contains more information about your system. If you can’t find anything in the other logs, it’s probably here.
Some applications also create logs in /var/log . Below are some examples.
Location: /var/log/apache2/ (subdirectory)
Apache creates several log files in the /var/log/apache2/ subdirectory. The access.log file records all requests made to the server to access files. error.log records all errors thrown by the server.
X11 server logs
The X11 server creates a seperate log file for each of your displays. Display numbers start at zero, so your first display (display 0) will log to Xorg.0.log . The next display (display 1) would log to Xorg.1.log , and so on.
Not all log files are designed to be read by humans. Some were made to be parsed by applications. Below are some of examples.
Login failures log
Contains info about login failures. You can view it with the faillog command.
Last logins log
Contains info about last logins. You can view it with the lastlog command.
Login records log
Contains login info used by other utilities to find out who’s logged in. To view currently logged in users, use the who command.
This is not an exhaustive list!
You can search the web for more locations relevant to what you’re trying to debug. There is also a longer list here.
3. Viewing logs using GNOME System Log Viewer
The GNOME System Log Viewer provides a simple GUI for viewing and monitoring log files. If you’re running Ubuntu 17.10 or above, it will be called Logs. Otherwise, it will be under the name System Log.
System Log Viewer interface
The log viewer has a simple interface. The sidebar on the left shows a list of open log files, with the contents of the currently selected file displayed on the right.
The log viewer not only displays but also monitors log files for changes. The bold text (as seen in the screenshot above) indicates new lines that have been logged after opening the file. When a log that is not currently selected is updated, it’s name in the file list will turn bold (as shown by auth.log in the screenshot above).
Clicking on the cog at the top right of the window will open a menu allowing you to change some display settings, as well as open and close log files.
There is also a magnifying glass icon to the right of the cog that allows you to search within the currently selected log file.
If you wish to learn more about the GNOME System Log Viewer, you may visit the official documentation.
4. Viewing and monitoring logs from the command line
It is also important to know how to view logs in the command line. This is especially useful when you’re remotely connected to a server and don’t have a GUI.
The following commands will be useful when working with log files from the command line.
The most basic way to view files from the command line is using the cat command. You simply pass in the filename, and it outputs the entire contents of the file: cat file.txt .
This can be inconvenient when dealing with large files (which isn’t uncommon for logs!). We could use an editor, although that may be overkill just to view a file. This is where the less command comes in. We pass it the filename ( less file.txt ), and it will open the file in a simple interface. From here, we can use the arrow keys (or j/k if you’re familiar with Vim) to move through the file, use / to search, and press q to quit. There are a few more features, all of which are described by pressing h to open the help.
Viewing the start or end of a file
We may also want to quickly view the first or last n number of lines of a file. This is where the head and tail commands come in handy. These commands work much like cat , although you can specify how many lines from the start/end of the file you want to view. To view the first 15 lines of a file, we run head -n 15 file.txt , and to view the last 15, we run tail -n 15 file.txt . Due to the nature of log files being appended to at the bottom, the tail command will generally be more useful.
To monitor a log file, you may pass the -f flag to tail . It will keep running, printing new additions to the file, until you stop it (Ctrl + C). For example: tail -f file.txt .
One way that we looked at to search files is to open the file in less and press / . A faster way to do this is to use the grep command. We specify what we want to search for in double quotes, along with the filename, and grep will print all the lines containing that search term in the file. For example, to search for lines containing “test” in file.txt , you would run grep “test” file.txt .
If the result of a grep search is too long, you may pipe it to less , allowing you to scroll and search through it: grep “test” file.txt | less .
The simplest way to edit files from the command line is to use nano . nano is a simple command line editor, which has all the most useful keybindings printed directly on screen. To run it, just give it a filename ( nano file.txt ). To close or save a file, press Ctrl + X. The editor will ask you if you want to save your changes. Press y for yes or n for no. If you choose yes, it will ask you for the filename to save the file as. If you are editing an existing file, the filename will already be there. Simply leave it as it is and it will save to the proper file.
Congratulations, you now have enough knowledge of log file locations, usage of the GNOME System Log Viewer and basic command line commands to properly monitor and trouble-shoot problems that arise on your system.
(This question deals with a similar issue, but it talks about a rotated log file.)
Today I got a system message regarding very low /var space.
As usual I executed the commands in the line of sudo apt-get clean which improved the scenario only slightly. Then I deleted the rotated log files which again provided very little improvement.
Upon examination I find that some log files in the /var/log has grown up to be very huge ones. To be specific, ls -lSh /var/log gives,
As we can see, the first two are the offending ones. I am mildly surprised why such large files have not been rotated.
So, what should I do? Simply delete these files and then reboot? Or go for some more prudent steps?
I am using Ubuntu 14.04.
To begin with, the system is only several months old. I had to install the system from scratch couple of months back after a hard disk crash.
Now, as advised in this answer, I first checked the offending log files using tail , no surprise there. Then, for deeper inspection, I executed this script from the same answer.
The process took several hours. The output was in the line of,
( /dev/sda3 is my home directory. As we can find,
Why a process will want to write beyond the limit is actually outside the scope of my comprehension. Perhaps I will want to ask a different question in this forum if this continues even after a system update.)
Then, from this answer (you may want to check this for a deeper understanding), I executed,
Now, these files have zero sizes. The system is running fine before and after a reboot.
I will watch these files (along with others) in the next few days and report back should
they behave out-of-line.
As a final note, both the offending files ( kern.log and syslog ), are set to be rotated, as inspection of the files ( grep helped) inside /etc/logrotate.d/ shows.
The log files are actually rotated. Looks like the large sizes were attained on a single day.
4 Answers 4
Simply delete these files and then reboot?
No. Empty them but do not use rm because it could end up crashing something while you are typing the touch command to recreate it.
If not root it will require sudo . Taken from another answer on AU.
BEFORE YOU DO THAT. Do a tail
Both kern.log and syslog should normally not be that big. But like I said: if this system is up and running for years and years it might be normal and the files just need to be cleared.
And to prevent it to become that big in the future: setup logrotate . It is pretty straightforward and will compress the logfile when it becomes bigger then a size you set it to.
1 other thing: if you do not want to delete the contents you can compress the files by tarring or gzipping them. That will have you end up with files probably 10% of what they are now. That is if there is still room on the disk to do that.
This article will explain how to view various log files scattered throughout the Linux file system. Log files are useful for finding out system anomalies and can help in developing fixes for them. All the commands listed below are tested in Ubuntu 20.04 LTS version, but they should work in other Linux distributions as well. In case you are not able to find certain log files, you can use the “Locate” command, which can be installed in your system through the package manager.
GNOME Logs is a graphical log viewer shipped by default in most GNOME Shell based Linux distributions. It shows all logs generated for systemd journals. Systemd manages all services running on your system and it is responsible for starting, stopping and monitoring various services that are launched at boot. GNOME Logs neatly categorises logs in various headings and you can export these logs to text files. It also allows you to search and refine log messages using various filters.
To install GNOME Logs in Ubuntu, run the command below:
You can install GNOME Logs in other Linux distributions by searching for it in the package manager shipped with your distribution. Alternatively, you can compile it from source code.
Linux Kernel Logs
To view kernel logs in terminal, run the command below:
You can also open the log file in any text editor of your choice. The screenshot above shows the usage of “tail” command after the pipe symbol. It ensures that only the last few lines are shown as the output (two lines in this case).
To view kernel logs for previous boot, run the command below:
Logs for X11 Xorg display server can be found at two locations depending on your Linux distribution. The logs can be located at either “/var/log/” or “$HOME/.local/share/xorg/” directories. You can find correct location of Xorg log files by running the command below:
The “0” part in the file name denotes identification number for the connected monitor. If you have only one display connected to your system, the file name should be “Xorg.0.log”. In case of multi-monitor setups, multiple log files will be recorded, one for each monitor. For instance, in multi-monitor setups, file names could be “Xorg.0.log”, “Xorg.1.log” and so on.
To view these logs using “less” command, use the following command:
“Less” command shortens terminal output and allows you to interactively navigate to the next line of the terminal output using key.
Dmesg prints kernel log messages or “ring buffer” of the Linux kernel. It is used to examine and debug all the output generated by the kernel, especially messages related to connected hardware and their drivers.
Run the following commands to view dmesg log:
You can check all command line arguments for dmesg by running the following command in a terminal:
To view boot messages log, run the command below:
To view logs for previous boot, run the command below:
System log files record a variety of messages useful for debugging. If you cannot find certain log messages in other files, chances are that they could be in syslog files.
To view current and previous syslog files respectively, run the following commands:
Authorization Logs or simply “Auth” logs record remote login attempts and password prompts requested by sudo command. To view these logs, use the following commands:
“Faillog” records failed login attempts while “Lastlog” shows information about last login. Run the following commands to see login records:
Third Party Application Logs
User installed third party applications do not have root access. In case they are recording any logs, they should be in the directory of the executable file or at the following locations:
Examining various log files can help in debugging system freeze and crash issues, especially when new and unsupported hardware is present in the PC. These log files are also useful for finding out security breaches or security loopholes if there are any. If you are getting unexpected behavior from software installed on your system or frequent reboots and crashes, the first thing you should do is to examine various system log files.
About the author
I am a freelancer software developer and content writer who loves Linux, open source software and the free software community.
Logging into my Ubuntu machine, I get a warning that I am running out of disk space. Tracing back, I find that it is the syslogs, especially the kern.log(s) that are eating up my 1TB disk.
From the snippet above, you can easily find that kern.log and kern.log.1 is eating up 80% of my 1TB disk. I can get the space by deleting the files, but I think it won’t solve the problem.
Does anyone have an idea on what the issue might be? I saw that you can get the logging level by:
3 Answers 3
Have you checked the content of those files? There’s obviously something going on with your server causing events to be generated. Resolve whatever issue is causing that, and your logs should return to their normal size.
To temporary solve the issue, type
You need to be root user for this: enter sudo su , your password, and then the above commands
This is an old question, but neither of the previous two answers are good solutions:
- The accepted answer doesn’t explain why the disk problem goes away if you fix the underlying system issue (the answer is logrotate ), plus your system may keep writing to the logs and fill up your disk before you can even figure out the underlying issue.
- The other answer removes and disables the logs entirely, which is not a good approach as it ignores the underlying issue. Also, you’ll probably want those log files later when you’re figuring out other system problems — disabling syslog makes it more difficult to track down future issues!
Instead, here is a safer method that lets you keep the log files while reclaiming disk space while also stopping the log files from doing this again.
- Safely clear the logs: after looking at (or backing up) the logs to identify your system’s problem, clear them by typing > /var/log/syslog (including the > ). You may need to be root user for this, in which case enter sudo su , your password, and then the above command).
- Then restart the syslog service (either systemctl restart syslog or service syslog restart ).
- Then, you can force the logs to rotate and delete automatically if they reach a certain size, using logrotate . In this case you can edit the config with sudo nano /etc/logrotate.d/rsyslog and add one line:
- This will force your syslog to “rotate” (i.e., create a new log file and archive the previous log file) after either 1 day or when the file becomes 1GB, whichever comes first. Note that rotate 7 means your system will only keep 7 total syslog backups so it can only ever take up 7GB of space
- Note: you can change maxsize , rotate N , and other settings to customize your logs — use the command man logrotate to see more.
- While you’re at it, you may want to add the same setting in the second part of the file, which governs the behavior of other log files (e.g. kern.log for kernel events, auth.log for authentication events, etc.). This setting will make it so that each of these other log files will only take 4GB in total.:
This will allow your system to keep logging events without them filling your disk.
In order to clean a log file, some users simply delete the old file and create a new log file. There are however many ways to remove the content of the log file without having to open it. Make sure not to clear the content of a critical system or configuration file since this might lead to a system crash or failure.
Using stdout or redirecting to Null
The first alternative would be to run the command :
cat /dev/null > logfile
cp /dev/null logfile
dd if=/dev/null of=logfile
Where in the last command, ‘if’ refers to the input file while ‘of’ to the output file.
The /dev/null device file is a rather special file that removes any input stream that was redirected to it.
Using true and tee commands
true | tee logfile
In general when writing :
a_task | tee -a logfile
It will put the output into logfile and to stdout.
Using echo Command
The echo command can be used with an empty string and redirected to the file as follows:
echo “” > logfile
echo > logfile
An empty string is not to be confused with null since a string is an object with no attributes or parameters within it. For those who develop in C++ or Java know already that Null means that an object does not exist.
When you run the echo command above, the file will contain an empty line. In order to redirect a null output to the file, you could rely on the -n switch which commands echo to not output a trailing newline.
echo -n “” > logfile
How to empty a file in linux using truncate
Another way would be to use :
truncate –size 0 logfile [linux clear log file]
The truncate command shrinks or extends the size of a file to a desired size.
It can be used it with the -s switch to indicate the file size. To empty a file content therefore, you could specify a size of 0 (zero) as shown in the command above.
In order to perform this for multiple files, you can proceed as follows :
truncate -s 0 logfile1 logfile2 … [empty log file linux]
Given the fact that logfiles can be useful, you could archive a copy by compressing and then saving it. You could rely in this case on logrotate, which can carry this out easily. For more on logrotate, refer to the this link.
Using for loop
Can can also use a loop :
for f in logfile1 logfile2 … ; do
# select your desired command to empty the file
That would be all for now folks. In this article we have provided few methods to help clear or empty a log file (or any other file) using simple command line tools and shell redirection utilities.If you know other alternatives, please feel free to write them in the comments section.
If you like the content, we would appreciate your support by buying us a coffee. Thank you so much for your visit and support.
“Even if you are only running your own Linux box at home,
sooner or later you will face the task of having to solve some
strange problems (PPP has stopped working, X is not starting
anymore, and so on), where the only hint is some messages left
in a log file. To prepare yourself for this, you should start
peeking into log files right now, even if everything is
working correctly (or, at least, that’s what you think…).”
“Log files are just plain text files containing one message per
line. To look at the messages inside any of them, all you have to
do is use one of the many tools available in Linux that manage text
files: a plain cat /var/log/messages would be sufficient to print
all the messages onto the screen, but if you try it you will see a
lot of text pages flowing over the screen probably too quickly to
read. Log files are always very large, as they keep accumulated
messages from the very first time you started your Linux system. In
the future we will learn how to keep their size limited, but for
the moment it suffices to notice that you cannot simply ‘cat’ them,
and that it is probably a bad idea to try and open them with a text
editor: firstly because you could easily run out of memory, and
secondly because you are not expected to change the contents of a
log file. A better way to look at log files is to use a pager, such
as more or less, or to use grep if you are seeking specific
messages. Let’s try with less /var/log/messages first.”
“…all the messages that go to the /var/log/messages file are
nothing particularly serious or urgent. One interesting message is
the so-called ‘MARK’, which is issued periodically (every 20
minutes by default) just to say that the system is still alive. …
Another typical use of the MARK message is for helping in a
post-mortem diagnosis, giving the system administrator a hint about
the last time the machine was running before an (unlikely) crash.
… The other two standard log files, /var/log/debug and
/var/log/syslog, contain more important messages such as debug
information and error notices.”
How can I see the content of a log file in real time in Linux? Well there are a lot of utilities out there that can help a user to output the content of a file while the file is changing or continuously updating. Some of the most known and heavily used utility to display a file content in real time in Linux is the tail command (manage files effectively).
1. tail Command – Monitor Logs in Real Time
As said, tail command is the most common solution to display a log file in real time. However, the command to display the file has two versions, as illustrated in the below examples.
In the first example the command tail needs the -f argument to follow the content of a file.
Monitor Apache Logs in Real Time
The second version of the command is actually a command itself: tailf. You won’t need to use the -f switch because the command is built-in with the -f argument.
Real Time Apache Logs Monitoring
Usually, the log files are rotated frequently on a Linux server by the logrotate utility. To watch log files that get rotated on a daily base you can use the -F flag to tail command.
The tail -F will keep track if new log file being created and will start following the new file instead of the old file.
However, by default, tail command will display the last 10 lines of a file. For instance, if you want to watch in real time only the last two lines of the log file, use the -n file combined with the -f flag, as shown in the below example.
Watch Last Two Lines of Logs
2. Multitail Command – Monitor Multiple Log Files in Real Time
Another interesting command to display log files in real time is multitail command. The name of the command implies that multitail utility can monitor and keep track of multiple files in real time. Multitail also lets you navigate back and forth in the monitored file.
To install mulitail utility in Debian and RedHat based systems issue the below command.
To display the output of two log file simultaneous, execute the command as shown in the below example.
Multitail Monitor Logs
3. lnav Command – Monitor Multiple Log Files in Real Time
Another interesting command, similar to multitail command is the lnav command. Lnav utility can also watch and follow multiple files and display their content in real time.
To install lnav utility in Debian and RedHat based Linux distributions by issuing the below command.
Watch the content of two log files simultaneously by issuing the command as shown in the below example.
lnav – Real Time Logs Monitoring
4. less Command – Display Real Time Output of Log Files
Finally, you can display the live output of a file with less command if you type Shift+F .
As with tail utility, pressing Shift+F in a opened file in less will start following the end of the file. Alternatively, you can also start less with less +F flag to enter to live watching of the file.
Watch Logs Using Less Command
That’s It! You may read these following articles on Log monitoring and management.
In this article, we showed how to watch data being appended in log files in real-time on the terminal in Linux. You can ask any questions or share your thoughts concerning this guide via the comment form below.
If You Appreciate What We Do Here On TecMint, You Should Consider:
TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.
If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.
We are thankful for your never ending support.