VOOZH about

URL: https://www.geeksforgeeks.org/techtips/how-to-manage-logs-in-linux/

⇱ Log Management in Linux - GeeksforGeeks

  • Courses
  • Tutorials
  • Interview Prep

Log Management in Linux

Last Updated : 15 Nov, 2025

Log management is the process of collecting, storing, analyzing, and rotating logs. It helps administrators keep track of system events efficiently while ensuring that old logs are safely archived or removed.

In simple terms, logs help you:

  • Monitor system performance: Detect issues early.
  • Ensure security: Track login attempts or suspicious activity.
  • Maintain compliance: Meet audit requirements.
  • Troubleshoot errors: Trace system or application failures.

Log Management Tools in Linux

Linux provides several built-in tools to manage logs effectively:

  1. syslog: The standard for logging system messages.
  2. rsyslog: An enhanced version of syslog with better performance and filtering.
  3. journald: Part of systemd, responsible for structured log storage and retrieval.
  4. logrotate: A tool for managing log file rotation, compression, and archiving.

Common Log Files in Linux

Logs are usually stored under the /var/log/ directory.

  • /var/log/syslog: General system messages and events.
  • /var/log/auth.log: Authentication and login-related events.
  • /var/log/kern.log: Kernel-related messages.
  • /var/log/boot.log: Boot-time messages.
  • /var/log/dmesg: Hardware and kernel ring buffer messages.

Managing Logs in Linux

The Log Files in Linux stores critical information of the device. If you can Manage Linux Log Files, some confidential background information will come in your hand. Log Managing in Linux can be classified as an expert-level activity on Linux. There are few Linux Commands present to Manage Logs in Linux efficiently.

Methods to Manage Logs in Linux

  • To Manage Linux Logs, the following commands can be used one by one as necessary.

Method 1: Using cat Command - View Log Content

  • Display the full contents of a log file.

Command:

cat /var/log/syslog

Example:

cat /var/log/auth.log

Output:

👁 Log

Here,

1. Date & Time at the start of every line shows when the event happened.

  • Example: 2023-11-01T06:15:01

2. Service/Program Name: Tells which service generated the log.

  • Example: CRON, gdm-password, systemd-logind

3. User Login Sessions

  • session opened for user root > a login or process started using root.
  • session closed for user root > that session ended.

4. Failed Login Attempts

  • Authentication failure or password check failed > someone entered a wrong password (e.g., for user vboxuser).

5. Keyring Unlocked Message

  • gkr-pam: unlocked login keyring > successful login, system unlocked saved passwords.

6. System Button Monitoring

  • Messages like Watching system buttons (Power Button/Sleep Button) > system is monitoring hardware keys.

Method 2: Using grep Command – Filter Specific Entries

  • Search for specific text inside log files.

Command:

grep "FAILED" /var/log/auth.log

Example:

grep "Failed password" /var/log/auth.log
  • Instead of reading directly from the binary file, use this: 
sudo grep -a "Failed password" /var/log/auth.log
👁 log
  • The output shows timestamp, system name, and service name (like sudo, CRON, gdm-password) for each authentication-related activity.
  • It displays login attempts, session open/close details, commands run with sudo, and which user performed the action (root, vboxuser, etc.).
  • You can also see failed login attempts (Failed password), authentication failures, and successful unlocks of user keyrings.

Method 3: Manage Logs in Linux using SORT Command

  • Sort log entries (alphabetically or numerically).

Command:

sort /var/log/syslog

Example:

  • Sort kernel log messages
sort /var/log/kern.log

Output:

👁 file
  • System Startup & Kernel Version Info: You can see lines that display the Linux kernel version, build information, and system hardware details (like VirtualBox BIOS and CPU info).
  • Hardware & Driver Messages: It shows messages related to hardware like USB devices, CPU, memory, sound cards, PCI devices, etc.
    Example: “USB disconnect, device number 2” means a USB device was removed.
  • Kernel Warnings or Errors: Some lines show warnings like “BUG: soft lockup” or “Tainted: [W]”, which indicate system issues or unexpected behavior detected by the kernel.

Method 4: Manage Logs in Linux using UNIQ Command

  • Show only unique lines (removes duplicates). Works best after sort.

Example: Removes duplicate log lines

Command:

sort /var/log/syslog | uniq -c

Output:

👁 sort

Here,

  • Displays unique log entries and their occurrence count.
  • Useful to identify repeating errors or frequent system events.

Also Check:

Comment
Article Tags:
Article Tags: