Ubuntu log management

Logs Locations

Below is a list of common log file locations in Ubuntu

System logs
System logs deal with exactly that – the Ubuntu system – as opposed to extra applications added by the user. These logs may contain information about authorizations, system daemons and system messages.

Authorization log
Location: /var/log/auth.log
Keeps track of authorization systems, such as password prompts, the sudo command and remote logins.

Daemon Log
Location: /var/log/daemon.log
Daemons are programs that run in the background, usually without user interaction. For example, display server, SSH sessions, printing services, bluetooth, and more.

Debug log
Location: /var/log/debug
Provides debugging information from the system and applications.

Kernel log
Location: /var/log/kern.log
Logs from the Linux kernel.

System log
Location: /var/log/syslog
Contains more information about your system.

Application logs
Some applications also create logs in /var/log.

Apache logs
Location: /var/log/apache2/
Apache creates several log files in the /var/log/apache2/ subdirectory. The access.log file records all requests made to the server to access files. error.log records all errors thrown by the server.

X11 server logs
Location: /var/log/Xorg.0.log
The X11 server generates a unique log file for each of your displays. Display numbers are assigned starting from zero, which means that the first display (display 0) will be logged to Xorg.0.log. Similarly, the second display (display 1) will be logged to Xorg.1.log, and so on.

Watching Log Files
The “tail” command prints the last N lines of input data and can also display live data from log files

tail -n 15 /var/log/syslog Show last 15 lines of log file
tail -f /var/log/syslog Monitor log file in live
tail -f /var/log/apache2/access.log | grep 174.115.50.36 shows only the entire coming from a certain IP

Journalctl Utility examples
journalctl -r Newest first
journalctl -f Monitor New Log Messages
journalctl –since “2018-08-30 14:10:10” –until “2018-09-02 12:05:50”
journalctl –since “1 hour ago”
journalctl -b last boot of your server
journalctl -u nginx.service
journalctl -u nginx.service -f Tail
journalctl -b -1 -p “emerg”..”crit” by Prioroty
journalctl -o json-pretty
Short The default option, displays logs in the traditional syslog format.
Verbose Displays all information in the log record structure.
json Displays logs in JSON format, with one log per line.
json-pretty Displays logs in JSON format across multiple lines for better readability.
cat Displays only the message from each log without any other metadata.

The systemd journal is a logging system that gathers and archives log data from a wide range of sources, including system services, kernel events, and user applications. By using the journalctl command, users can easily access and retrieve log information in a user-friendly format, which can help them monitor system activity and troubleshoot problems effectively.

down arrow key, enter, e, or j Move down one line.
up arrow key, y, or k Move up one line.
space bar Move down one page.
b Move up one page.
g Go to the first line.
G Go to the last line.
10g Go to the 10th line. Enter a different number to go to other lines.
50p or 50% Go to the line half-way through the output. Enter a different number to go to other percentage positions.
n When searching, go to the next occurrence.
N When searching, go to the previous occurrence.