Logs cheatsheet.

journalctl

journalctl                          # all logs
journalctl -f                       # follow
journalctl -n 100                   # last 100
journalctl --since "10 min ago"
journalctl --since "yesterday"
journalctl --since "2026-01-15" --until "2026-01-16"
journalctl -p err                   # priority error+
journalctl -p warning..err          # range
journalctl -u nginx                 # unit
journalctl _PID=1234
journalctl _UID=1000
journalctl --boot                   # current boot
journalctl --boot -1                # previous boot
journalctl --list-boots
journalctl -k                       # kernel only
journalctl -o json                  # JSON output
journalctl -o short-iso             # ISO timestamps
journalctl --no-pager

Disk usage

journalctl --disk-usage
journalctl --vacuum-size=500M
journalctl --vacuum-time=7d
journalctl --rotate

/etc/systemd/journald.conf

SystemMaxUse=500M
MaxRetentionSec=1month
ForwardToSyslog=no
Storage=persistent

systemctl restart systemd-journald

/var/log

/var/log/syslog or /var/log/messages
/var/log/auth.log
/var/log/kern.log
/var/log/dpkg.log
/var/log/apt/
/var/log/nginx/
/var/log/mysql/

tail -f /var/log/syslog
grep ERROR /var/log/syslog

rsyslog

/etc/rsyslog.conf
/etc/rsyslog.d/*.conf

Filter + route logs to files / remote.

*.info;mail.none;authpriv.none;cron.none  /var/log/messages
auth.*,authpriv.*  /var/log/auth.log

Forward to remote:

*.* @loghost.example.com:514
*.* @@loghost.example.com:514     # TCP

logrotate

/etc/logrotate.conf
/etc/logrotate.d/*

/var/log/myapp/*.log {
    daily
    rotate 14
    compress
    delaycompress
    missingok
    notifempty
    create 0640 myapp myapp
    sharedscripts
    postrotate
        systemctl reload myapp
    endscript
}

logrotate -d /etc/logrotate.d/myapp     # dry run
logrotate -f /etc/logrotate.d/myapp     # force

dmesg (kernel)

dmesg
dmesg -T                            # human time
dmesg -w                            # follow
dmesg --level=err,warn
dmesg | grep -i usb

syslog priorities

0 emerg
1 alert
2 crit
3 err
4 warning
5 notice
6 info
7 debug

logger (write to syslog)

logger "something happened"
logger -t myapp -p user.warning "warning event"
logger -f file                      # send file contents

Audit logs (auditd)

ausearch -k login
auditctl -w /etc/passwd -p wa -k passwd_changes
aureport

Boot logs

journalctl -b                       # current boot
journalctl -b -1                    # previous
journalctl -b -p 3                  # only errors+

Failed services

systemctl --failed
journalctl -p 3 -xb

Logging from scripts

exec > >(logger -t myscript) 2>&1
echo "running"

All stdout/stderr → syslog.

Structured logging

echo '{"level":"info","msg":"thing","ts":"2026-01-15T12:00:00Z"}' | logger -t myapp

/etc/rsyslog.d/00-remote.conf (remote logging)

$ModLoad imtcp
$InputTCPServerRun 514
*.* /var/log/remote/%HOSTNAME%/messages

For central logging.

Vector / Fluent Bit / Promtail

Modern alternatives that read journal/files and ship to Loki / ELK / S3.

Common mistakes

  • No log rotation → disk fills.
  • journalctl showing nothing — check Storage= in conf.
  • Greping huge log file from start — use tail -F | grep.
  • Logging to file inside container that’s recreated.
  • Logging secrets (passwords, tokens) by accident.

Read this next

If you want my log shipping setup, it’s at rajpoot.dev .

Building something AI-, backend-, or data-heavy and want a second pair of eyes? I do consulting and freelance work — see my projects and ways to reach me at rajpoot.dev .