Linux/Unix: Logging Tools β journalctl, logger, and /var/log/ Explained
Introduction β Why Learn Linux Logging Tools?
Logging is crucial for Linux system administration, debugging, auditing, and security. Whether you’re a DevOps engineer or a sysadmin, tools like journalctl, logger, and files in /var/log/ help you monitor system behavior, track errors, and analyze performance issues in real-time or historically.
In this guide, youβll learn:
- How Linux handles system logging
- How to query logs using
journalctl - How to create your own logs using
logger - How to navigate
/var/log/and its key files
1. /var/log/ β The Traditional Log Directory
What is /var/log/?
It is the central directory where most system logs are stored in plain text. These logs are readable by tools like less, tail, or cat.
Common Files in /var/log/:
| File Name | Description |
|---|---|
/var/log/syslog | General system log (Debian/Ubuntu) |
/var/log/messages | General system log (RHEL/CentOS/Fedora) |
/var/log/auth.log | Authentication and security events |
/var/log/kern.log | Kernel messages |
/var/log/dmesg | Boot-time kernel ring buffer |
/var/log/cron | Cron job logs |
/var/log/Xorg.0.log | X Window system log |
/var/log/httpd/ | Apache web server logs |
Example: View last 50 lines of auth log
sudo tail -n 50 /var/log/auth.log
2. journalctl β View Logs from systemd Journal
What is journalctl?
journalctl is used to query logs managed by systemd, replacing traditional log rotation in newer distros like Ubuntu 20+, Fedora, RHEL 7+, and Arch.
Syntax:
journalctl [options]
Common journalctl Examples:
View full system log:
journalctl
View logs for today:
journalctl --since today
View logs by boot:
journalctl -b
Follow logs in real-time:
journalctl -f
Show logs for a specific unit:
journalctl -u nginx.service
Limit output by time:
journalctl --since "2025-06-15 09:00" --until "2025-06-15 10:00"
Logs include system services, boot processes, user sessions, and hardware events.
3. logger β Write Custom Messages to Syslog
What is logger?
logger allows users, scripts, or applications to write custom log entries to /var/log/syslog or the system journal.
Syntax:
logger [options] "your message"
Example 1: Add simple log
logger "Backup script completed successfully."
Appears in /var/log/syslog or journalctl.
Example 2: Add log with tag
logger -t BACKUP "MySQL backup completed"
Output in journalctl or /var/log/syslog:
Jun 15 14:02:12 hostname BACKUP: MySQL backup completed
Tool Comparison
| Feature | /var/log/ | journalctl | logger |
|---|---|---|---|
| Log Source | Plain text files | systemd journal (binary) | Custom user/app logs |
| Rotation Support | (via logrotate) | Auto-managed by systemd | (sent to syslog/journal) |
| Real-time Viewing | tail -f | journalctl -f | (logs via other tools) |
| Custom Log Support | (via logger) |
Summary β Recap & Next Steps
Linux logging tools help track system activity, debug errors, and maintain security logs. From the traditional /var/log/ directory to modern journalctl systems and custom logger messages, these tools provide powerful visibility into your system.
Key Takeaways:
- Use
journalctlfor querying systemd-based logs with rich filters. - Use
loggerto send script or manual messages to syslog. - Use
/var/log/for text-based system and service logs.
FAQs
Where are logs stored on systemd-based systems?
Mostly in a binary journal managed by systemd. Use journalctl to read them.
How can I filter logs for a specific service?
Use:
journalctl -u sshd
Can I make logger write to a custom file?
Not directly. Youβll need to configure rsyslog to redirect logs based on tags.
How do I clear systemd logs?
Use:
sudo journalctl --vacuum-time=2weeks
Whatβs the default log retention for journal logs?
It varies, but usually systemd rotates logs based on disk size and time. Configurable in /etc/systemd/journald.conf.
Share Now :
