π§Ύ Linux/Unix: Logging Tools β journalctl, logger, and /var/log/ Explained
𧲠Introduction β Why Learn Linux Logging Tools?
Logging is crucial for Linux system administration, debugging, auditing, and security. Whether you’re a DevOps engineer or a sysadmin, tools like journalctl, logger, and files in /var/log/ help you monitor system behavior, track errors, and analyze performance issues in real-time or historically.
π― In this guide, youβll learn:
- How Linux handles system logging
- How to query logs using
journalctl - How to create your own logs using
logger - How to navigate
/var/log/and its key files
π 1. /var/log/ β The Traditional Log Directory
β
What is /var/log/?
It is the central directory where most system logs are stored in plain text. These logs are readable by tools like less, tail, or cat.
π Common Files in /var/log/:
| File Name | Description |
|---|---|
/var/log/syslog | General system log (Debian/Ubuntu) |
/var/log/messages | General system log (RHEL/CentOS/Fedora) |
/var/log/auth.log | Authentication and security events |
/var/log/kern.log | Kernel messages |
/var/log/dmesg | Boot-time kernel ring buffer |
/var/log/cron | Cron job logs |
/var/log/Xorg.0.log | X Window system log |
/var/log/httpd/ | Apache web server logs |
π§ͺ Example: View last 50 lines of auth log
sudo tail -n 50 /var/log/auth.log
π§ 2. journalctl β View Logs from systemd Journal
β
What is journalctl?
journalctl is used to query logs managed by systemd, replacing traditional log rotation in newer distros like Ubuntu 20+, Fedora, RHEL 7+, and Arch.
π οΈ Syntax:
journalctl [options]
πΉ Common journalctl Examples:
β View full system log:
journalctl
β View logs for today:
journalctl --since today
β View logs by boot:
journalctl -b
β Follow logs in real-time:
journalctl -f
β Show logs for a specific unit:
journalctl -u nginx.service
β Limit output by time:
journalctl --since "2025-06-15 09:00" --until "2025-06-15 10:00"
π§ Logs include system services, boot processes, user sessions, and hardware events.
π 3. logger β Write Custom Messages to Syslog
β
What is logger?
logger allows users, scripts, or applications to write custom log entries to /var/log/syslog or the system journal.
π οΈ Syntax:
logger [options] "your message"
π§ͺ Example 1: Add simple log
logger "Backup script completed successfully."
β
Appears in /var/log/syslog or journalctl.
π§ͺ Example 2: Add log with tag
logger -t BACKUP "MySQL backup completed"
π€ Output in journalctl or /var/log/syslog:
Jun 15 14:02:12 hostname BACKUP: MySQL backup completed
π Tool Comparison
| Feature | /var/log/ | journalctl | logger |
|---|---|---|---|
| Log Source | Plain text files | systemd journal (binary) | Custom user/app logs |
| Rotation Support | β (via logrotate) | Auto-managed by systemd | β (sent to syslog/journal) |
| Real-time Viewing | tail -f | journalctl -f | β (logs via other tools) |
| Custom Log Support | β | β | β
(via logger) |
π Summary β Recap & Next Steps
Linux logging tools help track system activity, debug errors, and maintain security logs. From the traditional /var/log/ directory to modern journalctl systems and custom logger messages, these tools provide powerful visibility into your system.
π Key Takeaways:
- Use
journalctlfor querying systemd-based logs with rich filters. - Use
loggerto send script or manual messages to syslog. - Use
/var/log/for text-based system and service logs.
β FAQs
β Where are logs stored on systemd-based systems?
β
Mostly in a binary journal managed by systemd. Use journalctl to read them.
β How can I filter logs for a specific service?
β
Use:
journalctl -u sshd
β Can I make logger write to a custom file?
π‘ Not directly. Youβll need to configure rsyslog to redirect logs based on tags.
β How do I clear systemd logs?
β
Use:
sudo journalctl --vacuum-time=2weeks
β Whatβs the default log retention for journal logs?
π§ It varies, but usually systemd rotates logs based on disk size and time. Configurable in /etc/systemd/journald.conf.
Share Now :
