Common Linux Error Logs
Troubleshoot server issues. This guide lists common Linux error log locations for syslog, Apache, Nginx, MySQL, and more to help debug problems.
Overview
Linux error logs are detailed records of system events, application activity, and potential problems. Think of log files as your server’s diary or an airplane’s flight recorder. When something goes wrong on your server, whether it’s a website crash, a failed login attempt, or a service that won’t start, a new line is added to a specific text file with a timestamp. By reading this diary, you can trace events back in time to understand what caused a problem, and often how to fix it.
These plain text files can seem cryptic at first, but knowing where to look is the most important step in troubleshooting. This guide serves as a quick reference to help you locate and understand the most common log files for system services, web servers, and databases on your Linux server.
Parameters / Features
Some logs, like /var/log/secure, /var/log/auth.log, or MySQL logs, require sudo.
- Log Location: Logs are simply text files that can be found in a specific location. Nearly all system-wide logs are stored in the /var/log/ directory. While some applications might create logs elsewhere, this folder is always your starting point when you begin troubleshooting.
- Service-Specific Logs: Services like Apache, Nginx, and MySQL maintain their own logs.
- Format: While all logs are generally in plain text, individual logs may use their own syntax, and text structure.g”
- Access Control: Logs are secure and should only be available by specific users, such as root.
- Log Rotation: Compress (.gz) and clear older logs, also known as “log rotation”, with the logrotate daemon.
- Powerful Insight: Reading your logs is imperative when looking to troubleshoot and resolve issues.
- Live Monitoring: Monitor your logs in real-time with commands like tail -f or journalctl -f.
Essential Commands for Reading Logs
You don’t need to be a command-line expert to read logs. These four simple commands will handle almost every situation:
- less: The best and safest way to browse a large log file. It lets you scroll up and down without loading the entire file into memory. (Example: sudo less /var/log/syslog)
- tail: Shows you the last 10 lines of a file, which is perfect for seeing the most recent events. Use tail -f to watch a log file in real-time as new entries are added. (Example: sudo tail -f /var/log/nginx/error.log)
- grep: Your most powerful troubleshooting tool. It searches for specific keywords within a file, allowing you to instantly find lines containing “error,” “failed,” or a specific IP address. (Example: sudo grep “Failed password” /var/log/auth.log)
- zcat / zless: As logs get old, a process called “log rotation” compresses them into .gz archives to save space. You can’t read these with cat or less. Instead, use zcat or zless to view their contents without decompressing them first. (Example: sudo zless /var/log/syslog.2.gz)
Common Use Cases / Examples
| Purpose | Log File | Common Use Cases | Example Review Command |
|---|---|---|---|
| General system messages. (Ubuntu/Debian) | /var/log/syslog | Reviewing system-wide messages. (Regularly rotated.) | sudo tail -f /var/log/syslog |
| General system messages.(RHEL/CentOS) | /var/log/messages | Checking kernel and system messages. (Regularly rotated.) | sudo tail -f /var/log/messages |
| Login attempts, sudo, SSH activity. | /var/log/auth.log | Useful for security audits. (Requires root access.) | sudo grep "Failed" /var/log/auth.log |
| Security and authentication logs.(RHEL/CentOS) | /var/log/secure | Useful for security audits of sudo, SSH, and PAM usage. (Requires root access) | sudo grep "sshd" /var/log/secure |
| Kernel messages and hardware issues. | /var/log/kern.log | Reviewing kernel events and hardware errors.(Requires root access.) | sudo dmesg |
| Boot-time kernel messages. | /var/log/dmesg | Checking startup messages for hardware or boot issues. (Requires root access.) | dmesg |
| Apache web server errors(RHEL/CentOS) | /var/log/httpd/error_log | Logging Apache errors for troubleshooting. (Regularly rotated.) | sudo tail -f /var/log/httpd/error_log |
| Apache web server errors(Debian/Ubuntu) | /var/log/apache2/error.log | Logging Apache errors for troubleshooting. (Regularly rotated.) | sudo tail -f /var/log/apache2/error.log |
| Nginx web server errors | /var/log/nginx/error.log | Logging Nginx errors for debugging site issues. (Regularly rotated.) | sudo tail -f /var/log/nginx/error.log |
| MySQL server errors and startup messages. | /var/log/mysql/error.log | Tracking MySQL errors, startup/shutdown events, and crashes.(Requires root access.) | sudo tail -f /var/log/mysql/error.log |
| MySQL general query log, if enabled. | /var/log/mysql/mysql.log | Recording all queries received by the server. (May impact performance, if enabled.) | sudo tail -f /var/log/mysql/mysql.log |
| PHP-FPM error log (RHEL/CentOS) | /var/log/php-fpm/error.log | Debugging PHP-FPM errors. (Separate from web server logs.) | sudo tail -f /var/log/php-fpm/error.log |
| PHP-FPM error log (Debian/Ubuntu) | /var/log/php7.x-fpm.log or /var/log/php8.x-fpm.log (version-specific) | Debugging PHP-FPM errors. (Separate from web server logs.) | sudo tail -f /var/log/php8.1-fpm.log |
Helpful Links and Articles
- How to Use Grep
- Using journald and journalctl for log management on CentOS 7
- Finding Common Log Files on cPanel Servers
- Server Logs: How to Watch in Real Time