The activity of the system and of applications is saved in logs. In this video, explore common logs and how to use them.
- [Instructor] Computers are always doing stuff, and luckily for us, they keep a record of what's going on. The system's log files keep detailed information about individual actions, the operating system, and other services running within it are taking. These records are kept in various log files, usually in the /var/log directory. The system log, located at /var/log/syslog on Ubuntu and other Debian systems and /var/log/messages on Red Hat systems, keep track of the actions that the system takes and provides a place where software can also write information. Some software maintains its own log files which is convenient for isolating chatty programs and to keep output related to one particular app separate from the rest of the logging information.
First, let's take a look at the system log. Here on Ubuntu, as I mentioned, it's at /var/log/syslog, and we can browse through it, page by page, with less. A log entry will have the date and time that the item was added to the log, the host name of the system, the program name and process ID, and a description from that program of what's being logged. Items in the log are kept in chronological order.
Let's take a look at an application log now. Maybe the log for the package manager. You can see that this looks a little different. It only has the date and time, a status, and a package name and version. We need less context here because we know where the information is coming from, as opposed to messages coming in from all kinds of places, as is the case with a system log. In the log folder, there's a file called auth.log, which contains information about activities that required authorization, instances when users tried to use the superuser privileges, and when there are changes to the user and groups files, and so on.
Log files are stored as text files, so we can use the usual text tools to work with them. Right now, we're using less to look at this log, and we can move up and down with the arrows and move up and down by a whole screen with F and B, for forward and backward. We can search within this file by typing slash and then a search term. Pressing Enter will find the next match of the term, and we can search again by typing slash and Enter. I can isolate lines of the file that contain a particular term by typing ampersand and a search term.
This will show me only the lines containing that term. To exit this mode, I'll type ampersand again, or we can grep these files, because they're text. Let's look for the term, dhcp, in syslog. All right, grep "dhcp" /var/log/syslog. It's often easier to search these files for something you know rather than scrolling through and hunting for it, though it can be interesting to read through these files sequentially, too, in order to get a sense of what the system's doing.
Logging on the system is handled by a program called rsyslogd or rsyslog. Software passes messages to it, and then it puts them down in the log file. Rsyslog is configured in the rsyslog.conf file inside etc. There, we can describe how we want it to work. We can write information into the syslog ourselves with the logger command. This is useful for making troubleshooting notes, and they can be called from a script to write information to the file. To write a message, I'll write, logger "hello from the command line" and then I'll tail the syslog with tail /var/log/syslog, and there's my message.
Rsyslog can also be configured to send logs to a remote machine or to accept them from another machine, which is helpful to centralize your logs. I won't configure that in this episode, but if you'd like to see how to do it, check out our courses on remote logging here at LinkedIn Learning. Every so often, rsyslog rotates the logs, or it chops them and archives the old parts. These files appear with a log file name and a number for the most recent log and with a number and the extension .gz, for gzip, for even older ones. Text generally compresses very well, so these archived logs don't take up a whole lot of space, and they can be kept around for a long time.
The retention and rollover policies for these log archives can be configured in the logrotate.conf file in the /etc/logrotate.d/ folder. To read the archived log files, we can use programs like a zless and zcat. So, to peek at the first few lines of an old log, we can just run zcat on the log file and pipe it into head. We don't need to manually decompress these files to work with them. So even though they're compressed, we can use them just like regular, plain text logs. Logs can look cryptic, but they follow a particular pattern, and once you get used to reading them, you'll gain an understand of what your system is doing.
Author
Updated
3/2/2021Released
10/3/2017Skill Level Intermediate
Duration
Views
Related Courses
-
Linux: Bash Shell and Scripts
with Kevin Dankwardt2h 46m Intermediate -
Linux: Files and Permissions
with Grant McWilliams1h 49m Intermediate -
Linux: Multitasking at the Command Line
with Scott Simpson39m 1s Intermediate
-
New this Week:
-
Docker on Linux5m 24s
-
-
Introduction
-
Welcome1m 4s
-
-
Foundations
-
Foundations: What's Linux?5m 26s
-
Foundations: Distros10m 50s
-
Foundations: USB installer7m 46s
-
Linux on Azure7m 21s
-
Google Cloud Platform3m 37s
-
Linux on DigitalOcean6m 39s
-
-
System Basics
-
Bash operators6m 55s
-
Logs5m 4s
-
Grub3m 19s
-
SysV init4m 43s
-
Systemd5m 29s
-
Cron8m 7s
-
Understanding chroot3m 16s
-
Backing up data with rsync5m 35s
-
Working with dotfiles1m 43s
-
Exploring the PATH variable3m 51s
-
Finding or locating files3m 52s
-
Working with swap4m 29s
-
Read and write caches3m 5s
-
Filesystem Basics
-
Files on Linux4m 10s
-
File system basics: Archives6m 22s
-
Loop devices4m 35s
-
Overlay file systems4m 17s
-
Bind mounts2m
-
-
Working with Text
-
Working with text: Vim 1015m 15s
-
Working with text: Emacs 1015m 42s
-
Working with text: nano 1015m 29s
-
Working with text: grep4m 23s
-
Working with text: sed7m 24s
-
Working with text: AWK2m 51s
-
Working with text: ed 1016m 17s
-
-
Package Management
-
Package management: Basics6m 59s
-
aptitude5m 43s
-
dpkg2m 20s
-
yum and DNF4m 58s
-
RPM3m 24s
-
Creating your own packages3m 12s
-
Zypper4m 17s
-
Using Flatpak4m 11s
-
Using snaps3m 15s
-
-
Working Remotely
-
Remote files: curl and wget4m 42s
-
SSH: Secure access8m 8s
-
SSH: Tunnels3m 46s
-
X11 forwarding2m 52s
-
Using a SOCKS proxy4m 53s
-
Using a Squid proxy8m 43s
-
-
Process Management
-
Process management: ps4m 30s
-
Process management: top4m 53s
-
Process management: htop6m 11s
-
Customizing tmux3m 32s
-
-
Security
-
Firewall basics4m 5s
-
Understanding iptables6m 41s
-
File checksums3m 48s
-
Encrypting files7m 14s
-
Encrypted filesystems6m 58s
-
AppArmor4m 2s
-
Security systems: SELinux4m 33s
-
-
System Administration
-
Disks and partitions6m 42s
-
Logical volume management9m 59s
-
Create a RAID array9m 10s
-
Repairing a RAID array4m 44s
-
Local IP address5m 15s
-
DNS5m 40s
-
VPN1m 43s
-
Drivers and modules4m 16s
-
Understanding QEMU and KVM2m 49s
-
Private networking6m 37s
-
Routing and forwarding4m 26s
-
DHCP4m 55s
-
Network troubleshooting7m 42s
-
Wi-Fi on Linux4m 14s
-
-
Desktops and Displays
-
Desktops: Basics3m 8s
-
Desktops: GNOME4m 41s
-
Desktops: Xfce4m 5s
-
Desktops: KDE Plasma Desktop2m 28s
-
Desktops: LXQt3m 42s
-
-
Exploration Topics
-
Windows Subsystem for Linux7m 20s
-
Exploring virtualization5m 28s
-
Exploring containers5m 19s
-
Exploring Fedora3m 8s
-
Changing the default shell3m 30s
-
Exploring other shells2m 5s
-
Exploring CentOS2m 6s
-
Exploring Zsh5m 41s
-
Osquery4m 28s
-
Exploring fish5m 21s
-
Exploring csh and tcsh2m 34s
-
Using diff to compare files3m 54s
-
Using xargs3m 41s
-
Job control3m 59s
-
Using watch and time3m 5s
-
Recording a terminal session3m 14s
-
Exploring Debian1m 49s
-
Exploring SUSE Linux7m 33s
-
Exploring Arch Linux16m 44s
-
Exploring Alpine Linux6m 18s
-
Exploring Linux Mint5m 14s
-
Exploring Amazon Linux5m 8s
-
Terminal on the go5m 1s
-
FUSE and SSHFS3m 54s
-
Removing Linux4m 44s
-
WSL distros on Windows 103m 13s
-
Embedded Linux4m 25s
-
Exploring Netboot2m 43s
-
Exploring ZFS3m 53s
-
Troubleshooting Topics
-
Projects
-
Linux on an old PC6m 7s
-
Hosting email services3m 7s
-
Create a network PDF printer4m 37s
-
Remote logging with Rsyslog7m 12s
-
Set up a Git server4m 16s
-
NGINX web server4m 11s
-
Set up an NFS server3m 58s
-
Monitoring your server2m 49s
-
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.
CancelTake notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.
Share this video
Embed this video
Video: Logs