Skip to content


Linux »

Log Files

All Linux systems create and store information log files for boot processes, applications, and other events. These files can be a helpful resource for troubleshooting system issues.

Last update: 2022-06-04


Table of Content

General log files#

Log files are a set of records that Linux maintains for the administrators to keep track of important events. They contain messages about the server, including the kernel, services and applications running on it.

Most Linux log files are stored in a plain ASCII text file and are in the /var/log directory and subdirectory. Logs are generated by the Linux system daemon log, syslogd or rsyslogd.

The log files generated in a Linux environment can typically be classified into four different categories:

  • Application Logs
  • Event Logs
  • Service Logs
  • System Logs


Common Linux log files names and usage:

  • /var/log/boot.log: System boot log
  • /var/log/kern.log: Kernel logs
  • /var/log/messages: General message and system related stuff
  • /var/log/secure or /var/log/auth.log: Authentication log


Log files are accessed using root privileges. By definition, root is the default account that has access to all Linux files.

Use the following example line command to access the respective file:

sudo less [log name here].log

Note that log files are stored in plain text, so they can be viewed by using the following standard commands:

  • zcat – Displays all the contents of .gz files
  • zmore – See the file in pages, without decompressing the files
  • zgrep – Search inside a compressed file
  • grep – Find all occurrences of a search term in a file or filter a log file
  • tail – Output the last few lines of files

Linux kernel log#

The dmesg command lets you peer into the hidden world of the Linux startup processes to review and monitor hardware device and driver messages from the kernel’s own ring buffer.

sudo dmesg

To see the timestamp:

sudo dmesg -T

Watching live events:

sudo dmesg --follow

Log Level

Every message logged to the kernel ring buffer has a level attached to it. The level represents the importance of the information in the message. The levels are:

  • emerg: System is unusable.
  • alert: Action must be taken immediately.
  • crit: Critical conditions.
  • err: Error conditions.
  • warn: Warning conditions.
  • notice: Normal but significant condition.
  • info: Informational.
  • debug: Debug-level messages.

We can make dmesg extract messages that match a particular level by using the -l (level) option and passing the name of the level as a command-line parameter.

sudo dmesg -l info,notice

Log Categories

The dmesg messages are grouped into categories called facilities or categories. The list of facilities is:

  • kern: Kernel messages.
  • user: User-level messages.
  • mail: Mail system.
  • daemon: System daemons.
  • auth: Security/authorization messages.
  • syslog: Internal syslogd messages.
  • lpr: Line printer subsystem.
  • news: Network news subsystem.

We can ask dmesg to filter its output to only show messages in a specific facility. To do so, we must use the -f (facility) option:

sudo dmesg -f syslog,daemon

The -x (decode) option makes dmesg show the facility and level as human-readable prefixes to each line.

sudo dmesg -x

Exercise#

  1. Write an application that simply generates an exception (such as divided by 0).

  2. Check the log generated in dmesg and appport to understand about generate events.

  3. Configure system to generate a coredump file when an exception happens.

Comments