I recently completed my Linux Foundation Certified System Administration certification. Although I have used and managed Linux servers for several years as part of my job and homelab, it wasn’t my primary responsibility. The certification was a nice way for me to round off and solidify my Linux knowledge.
I thought it might be helpful to do some posts where I go back to basics with various Linux topics. Where better to start than what everyone needs to do at some point or another…..LOGS
This will not be an exhaustive guide for navigating and troubleshooting logs. It will be a starting point for those who are stumbling across this post and maybe have a tip or two for those with more experience.
Tail
Ahhhhh Tail! It is one of the first tools most learn when navigating text and log files. Being one of first means it is also very straightforward.
If we look at the man page the syntax for a tail command has this format:
tail [Option] [File]
In practice it may look like this:
Without any parameters/flags tail will show the ten last or most recent lines in a file. The most common parameter used is probably -n, which changes how many of the most recent lines from a file are shown. In this instance, I am having tail show the most recent 20 lines from this log.
The second parameter for tail to know would be -f, where the f means follow. With this parameter tail will “follow” the file and as new lines are added to the file or log, tail will display them on the screen. This is really great for troubleshooting as you can see updates to the log in real time.
Grep
Grep allows us to search through log files for specific text. It is a tool with a LOT of depth to it as well, especially if you can pull out some decent regex skills.
I won’t be going too deep into it, but there are some basic examples worth sharing.
The syntax for grep is:
grep [OPTION...] PATTERNS [FILE...]
By default, grep is case sensitive, but if I use the -i flag, it will return entries regardless of case:
We see that both “error” and “Error” were returned.
If I want to search through all the syslog files so my command will look like this :
grep "error" /var/log/syslog*This returns a lot of entries, but I can now see which file each entry corresponds to on the left.
And if I scroll down further, I see the other log file it searched:
If you use the -c flag it will tell you how many instances were found in each of the files.
This is very helpful if you are trying to determine which log file may have the info you need.
Journalctl
Journalctl is a tool which allows us to query logs from the systemd-journal service. In other words, it has all kinds of logs.
The most basic way is just to enter “journalctl” but that will return more than what is easy to parse and read. If we use -r it will return the newest entries first, with a pager, so we can consume the logs without our screen exploding.
And at the bottom, we see this:
This lets us know we can read more lines if we hit the spacebar.
Another option is –since which lets us define from how long ago we want logs.
Here I only did “2 minutes ago”, but hours, days…etc will work as well.
We can also use something similar to grep with the journalctl command by using -g. I will also use -n to limit the number of lines(like we did above).
Finally, use -u if you are looking for logs from a particular service.
This only scratches the surface, but hopefully it will help the next time you need to go diving into logs for troubleshooting.