Last9 Last9
Book a Demo

Feb 12th, ‘25 / 5 min read

Ubuntu System Logs: How to Find and Use Them

Learn how to find, analyze, and manage Ubuntu system logs to troubleshoot issues, monitor performance, and enhance system security.

Ubuntu System Logs: How to Find and Use Them

System logs play a crucial role in debugging and monitoring in Ubuntu. When a service misbehaves or an unexpected crash happens, logs hold the answers. They’re also great for keeping an eye on system performance. Knowing how to access, read, and manage these logs can save you hours of troubleshooting.

This guide covers everything you need to know about Ubuntu system logs—from where they’re stored to how to analyze them efficiently.

Where Are System Logs Stored in Ubuntu?

Ubuntu logs are primarily stored in the /var/log/ directory. Here’s a breakdown of some of the most important log files:

  • /var/log/syslog – The main system log, recording most system-wide events.
  • /var/log/auth.log – Authentication logs, including login attempts and sudo usage.
  • /var/log/kern.log – Kernel-related logs, useful for debugging hardware issues.
  • /var/log/dpkg.log – Logs package installations, updates, and removals.
  • /var/log/apt/history.log** & **/var/log/apt/term.log – Tracks package installation history and errors from APT package manager.
  • /var/log/journal/ – Contains systemd logs (if journald is enabled).

How to View System Logs

You can access Ubuntu logs in multiple ways depending on your use case. Here are some essential commands:

Using cat, less, or tail

View the last few lines (useful for live monitoring):

tail -f /var/log/syslog

View logs with pagination:

less /var/log/syslog

View the full log:

cat /var/log/syslog

Using journalctl (For Systemd Logs)

If your system uses systemd (which most modern Ubuntu versions do), journalctl provides a more flexible way to query logs.

Follow logs in real time:

journalctl -f

View logs since a specific time:

journalctl --since "1 hour ago"

Filter logs by service:

journalctl -u nginx.service

View all logs:

journalctl

Key Ubuntu Log Files and Their Locations

Ubuntu maintains various log files to track system activity, troubleshoot issues, and ensure security. These logs provide critical insights into system performance, user actions, and application behavior.

Below are some key log files, their locations, and what they contain.

Daemon Logs (/var/log/syslog and /var/log/daemon.log)

    • Purpose: Records system-wide messages and logs from running daemons (background services).
    • Contents: Includes startup messages, warnings, errors, and general system activity.
    • Usage: Useful for diagnosing issues with services like cron, networkd, or custom applications.

Authentication & Login Failures (/var/log/auth.log and /var/log/faillog)

    • Purpose: Tracks authentication attempts, including successful logins and failed access attempts.
    • Contents: Logs SSH login attempts, sudo usage, failed authentication attempts, and PAM (Pluggable Authentication Modules) events.
    • Usage: Critical for security monitoring and detecting unauthorized access attempts.

System Boot Logs (/var/log/boot.log and journalctl -b)

    • Purpose: Captures messages generated during system startup.
    • Contents: Details boot sequence, including kernel initialization, services startup, and potential errors.
    • Usage: Helps troubleshoot boot failures and performance issues.

X11 Server Logs (/var/log/Xorg.0.log)

    • Purpose: Logs activity related to the X server, which manages the graphical display.
    • Contents: Information about graphics drivers, monitor configurations, input devices, and rendering errors.
    • Usage: Essential for debugging display issues, screen resolution problems, and X server crashes.

Kernel Logs (/var/log/kern.log and dmesg)

    • Purpose: Captures messages from the Linux kernel, including hardware interactions and driver activity.
    • Contents: Logs related to hardware errors, device initialization, and kernel warnings.
    • Usage: Useful for diagnosing hardware failures, driver issues, and kernel-related problems.

Package Management Logs (/var/log/dpkg.log and /var/log/apt/)

    • Purpose: Records package installations, updates, and removals.
    • Contents: Lists details of installed packages, failed upgrades, and dependency resolutions.
    • Usage: Helps track software changes and troubleshoot package installation failures.

Cron Job Logs (/var/log/syslog and /var/log/cron.log)

    • Purpose: Logs scheduled task executions from cron.
    • Contents: Timestamps, commands executed, and errors related to scheduled jobs.
    • Usage: Essential for verifying whether automated tasks ran as expected.

How to Manage Logs: Rotation and Cleanup

Over time, logs can grow large and consume disk space. Ubuntu uses logrotate to manage log files efficiently by automatically rotating, compressing, and archiving older logs while ensuring new entries remain accessible.

Check Log Rotation Settings

Log rotation is handled by configuration files in /etc/logrotate.conf and /etc/logrotate.d/.

Check the rotation status:

cat /var/lib/logrotate/status

Manually trigger log rotation:

sudo logrotate -f /etc/logrotate.conf

Clearing Old Logs

If disk space is an issue, you can safely remove old logs:

Clear systemd journal logs older than 7 days:

sudo journalctl --vacuum-time=7d

Delete logs older than 7 days:

find /var/log -type f -mtime +7 -exec rm {} \;

Log Rotation Policies

A basic logrotate configuration looks like this:

/var/log/syslog {
    weekly
    rotate 4
    compress
    missingok
    notifempty
}
  • weekly – Rotates logs once a week.
  • rotate 4 – Keeps four weeks of logs before deletion.
  • compress – Compresses old log files.
  • missingok – Prevents errors if the log file is missing.
  • notifempty – Skips rotation if the log is empty.

Best Practices:

  • Adjust rotation policies based on disk space and log verbosity.
  • Monitor rotation schedules to avoid excessive log retention or premature deletion.
  • Use remote logging solutions to store logs offsite for long-term analysis.

How to Configure Syslog Daemon

The syslog daemon is responsible for managing log messages from different parts of the system.

Checking the Syslog Daemon Status

Ubuntu typically uses rsyslog it as its syslog daemon. You can check its status with:

sudo systemctl status rsyslog

If it’s not running, start or enable it with:

sudo systemctl start rsyslog
sudo systemctl enable rsyslog

Configuring rsyslog

The main configuration file for rsyslog is located at /etc/rsyslog.conf. You can edit this file to customize log handling.

To filter logs by priority or source, modify /etc/rsyslog.conf or add custom rules in /etc/rsyslog.d/.

For example, to store authentication logs in a separate file:

if $programname == 'sshd' then /var/log/ssh.log
& stop

After making changes, restart rsyslog:

sudo systemctl restart rsyslog

Forwarding Logs to a Remote Server

If you want to centralize logs, configure rsyslog to forward them to a remote syslog server. Add this line to /etc/rsyslog.conf:

*.* @remote-syslog-server:514

Restart rsyslog for the changes to take effect:

sudo systemctl restart rsyslog

What is Log File Rotation Exactly

Log file rotation is a crucial process for managing disk space, maintaining log file organization, and ensuring system performance.

As logs build up, they can rapidly use a lot of storage, necessitating the rotation, compression, and archiving of older logs while ensuring that newer entries remain accessible.

How Log Rotation Works

Log rotation typically follows a structured approach:

  • Renaming or Archiving Old Logs – When a log file reaches a predefined size or age, it is renamed (e.g., syslog.1, syslog.2.gz) or moved to an archive directory.
  • Compression – Older logs can be compressed to save space, usually using gzip (.gz), bzip2 (.bz2), or xz (.xz).
  • Creating a New Log File – Once the active log is rotated, a fresh log file is created for new entries.
  • Retention and Cleanup – Systems typically define retention policies to delete or offload logs after a certain period.

Why These Logs Matter

Monitoring Ubuntu system logs helps maintain security, stability, and performance. Here’s how:

  • Detect security threats – Regularly review authentication logs (auth.log) to identify unauthorized access attempts.
  • Troubleshoot performance issues – Use syslog, kern.log, and dmesg to investigate system slowdowns or hardware failures.
  • Track package changesdpkg.log and apt logs help identify problems with software installations or updates.
  • Monitor automated tasks – Checking cron.log ensures scheduled jobs execute correctly.

Final Thoughts

Understanding Ubuntu system logs is crucial for troubleshooting, security monitoring, and system optimization. If you're working with large-scale observability, using modern log management tools like Last9 can make all the difference. Talk to us if you'd like to know more about us!

💡
And if you’d like to continue the discussion, our Discord community is open! We have a dedicated channel where you can connect with other developers and dive into your specific use case.

Contents

Newsletter

Stay updated on the latest from Last9.

Authors
Anjali Udasi

Anjali Udasi

Helping to make the tech a little less intimidating. I love breaking down complex concepts into easy-to-understand terms.

Topics
Logging