Grafvision - Fotolia


Easily read a log file in Linux with command-line tools

Depending on the specific Linux distribution you use, there is a variety of commands to help you locate, read and search log files within related program components.

In the early days of Linux, the syslog process wrote log files as ASCII text files to the /var/log directory. To read them, you needed tools such as the less command. You can still read a log file in Linux this way, but alternatives such as systemd-journald are now available.

Systemd-journald is a log service that is part of the systemd service manager, and it writes messages to the in-memory journal. To read these messages, you'll need to use the journalctl command-line utility.

If you start the command without any options, it will show the journal's entire contents, but you can use command-line utilities to filter information. For instance, if you type systemctl -u sshd, you'll see log messages from the SSHD service.

Additional tools to read a log file in Linux

In addition to systemd-journald, rsyslog is available in Linux distributions. This service works with modules that write log messages to database files instead of plain text files. By documenting messages with a log file in Linux, processing is more efficient because database file queries are more granular. With this method, you decide how to write messages to the database, so there is no standard way to retrieve messages.

If you use rsyslog and systemd-journald, messages are standardized in this timestamp host service format:

May 22 03:37:02 server1 su: (to root) user on pts/1

The message's timestamp is set to May 22, 3:37:02, and generated on server1, by the su process. And the message itself is "(to root) user on pts/1." This log message writing standard also uses systemd-journald, so once you know where to find a log file in Linux, you'll be able to read it regardless of which distribution you use.

A log file in a Linux interface
Using systemd and rsyslog can simplify log file navigation and search functions.

Benefits of systemd-journald and rsyslog

Systemd-journald is the common way to read a log file in Linux, especially with the journalctl command. This will show all messages written to your system, and you can use the arrow keys to navigate the output.

In many cases, a more convenient way to read journalctl-generated logs is to append option -f to the command (journalctl -f). This shows the end of a log file in Linux and tracks new journal messages. 

Linux log files written with rsyslog are easier to access because they are text files written into /var/log. But there is no standard on the names of rsyslog files. To find recently written log files use commands such as ls -lrt -- this sorts log files by modification date. After finding a log file in Linux that way, you can open it with a pager such as less, or use tail to show the last couple of lines in the file.

Dig Deeper on Data center ops, monitoring and management

Cloud Computing
and ESG