Skip to main content

Viewing System Logs (dmesg, journalctl)

Introduction to System Logs

System logs are records of events and activities occurring on a Linux system. They are essential for:

  • Troubleshooting errors or unexpected behavior.
  • Auditing system activities for security and compliance.
  • Monitoring system performance.

Key Purposes of System Logs:

  • Error detection: Identifying software or hardware failures.
  • Service auditing: Tracking the activities of services or applications.
  • Performance monitoring: Measuring the success or failure of tasks and resource usage.

2. Key Locations of Log Files in Linux

Linux stores system logs in the /var/log/ directory. Common logs include:

  • /var/log/syslog – General system log, containing messages from all services.
  • /var/log/auth.log – Logs for authentication and security events.
  • /var/log/kern.log – Logs generated by the kernel, including hardware-related messages.
  • /var/log/dmesg – Logs related to the system boot process, hardware detection, and initialization.

Accessing Log Files:

Use basic file management commands to view logs:

cat /var/log/syslog
less /var/log/auth.log
tail -f /var/log/kern.log
  • cat: Displays the entire file.
  • less: Allows paging through the file interactively.
  • tail -f: Shows the end of the file and updates in real time.

3. Using dmesg: Kernel Ring Buffer Messages

The dmesg command displays kernel messages related to hardware, device drivers, and boot-time logs. It is especially useful for:

  • Diagnosing hardware-related issues.
  • Viewing boot errors.
  • Monitoring device initialization.

Syntax:

dmesg [options]

Key Options for dmesg:

OptionDescription
-TDisplay timestamps for each message.
-lFilter logs by severity (e.g., err, warn).
--levelSpecify severity level (e.g., emerg, alert).
-nSet the log level of the console messages.

Examples

1. Basic dmesg Output
dmesg

Expected Output:

[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Linux version 5.4.0-70-generic (buildd@lcy01-amd64-039) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #78-Ubuntu SMP Thu Nov 5 16:33:51 UTC 2020 (Ubuntu 5.4.0-70.78-generic 5.4.70)
[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.4.0-70-generic root=UUID=35d3dfeb-f317-4d5c-94ed-98bc49813ab6 ro quiet splash
...
  • [0.000000]: Timestamp when the event occurred.
  • The output shows kernel events like system initialization, hardware detection, and more.
2. Filtering Messages by Severity Level
dmesg -l err

Expected Output:

[   15.832] Error: unable to read CPU frequency
  • This filters and only displays error messages.
3. Viewing Boot-Time Logs
dmesg -T

Expected Output:

[Thu Dec 31 12:30:56 2020] Initializing cgroup subsys cpuset
[Thu Dec 31 12:30:56 2020] Linux version 5.4.0-70-generic (buildd@lcy01-amd64-039) ...
This command displays timestamped boot messages, making it easier to debug boot-related errors.
Example 4: Analyzing Hardware Issues
dmesg | grep -i error

Expected Output:

[   15.832] Error: unable to read CPU frequency
[  102.430] Error: failed to initialize network interface
  • This filters hardware error messages (e.g., issues with CPU frequency or network initialization).

4. Using journalctl: Viewing Logs Managed by systemd

The journalctl command is used for viewing logs from systemd. It provides access to logs from services, kernel messages, and other system events.

Syntax:

journalctl [options]

Key Options for journalctl

OptionDescription
-uShow logs for a specific service.
-rShow logs in reverse order (newest first).
-fFollow the log output in real time (similar to tail).
--sinceShow logs since a specific time (e.g., yesterday, 2021-01-01).
--untilShow logs up to a specific time.

Examples

1: Basic journalctl Output
journalctl

Expected Output:

-- Logs begin at Tue 2020-12-29 14:52:33 UTC, end at Thu 2020-12-31 13:00:47 UTC. --
Dec 29 14:52:33 localhost systemd[1]: Started Journal Service.
Dec 29 14:52:33 localhost systemd[1]: Starting Journal Service...
Dec 29 14:52:33 localhost systemd-journal[1107]: Journal started
...
  • The output shows logs from systemd services, kernel messages, and other system components.
2. Viewing Logs for a Specific Service
journalctl -u apache2

Expected Output:

Dec 29 14:52:33 localhost apache2[1821]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name...

This filters logs for the Apache HTTP server.

3. Viewing Logs for a Specific Time Range
journalctl --since "2020-12-30 00:00:00" --until "2020-12-30 12:00:00"

Expected Output:

Dec 30 00:01:05 localhost systemd[1]: Started Apache Web Server.
...
  • This shows logs from a specific time window.
4: Monitoring Logs in Real Time
journalctl -f
  • This command continuously shows new log entries as they are added (similar to tail -f).

Advanced Log Management

Searching Logs with Keywords:

journalctl | grep "error"
  • This filters logs for specific keywords (e.g., “error”).

Exporting Logs for Analysis:

journalctl > system_logs.txt
  • This exports all logs into a text file for further analysis.

5. Practical Use Cases

Scenario 1: Troubleshooting Boot Issues

dmesg | grep -i error
2. Analyze systemd logs for errors:
journalctl -xe

Scenario 2: Monitoring Service-Specific Logs

1. Check the status of Apache:
systemctl status apache2
2. View Apache’s logs with journalctl:
journalctl -u apache2

6. Key Takeaways

  • dmesg is used to view kernel-related logs, including hardware errors and boot-time messages.
  • journalctl provides access to systemd-managed logs, enabling filtering by services, time ranges, and severity.
  • Logs are crucial for system debugging, monitoring service performance, and auditing activities.
  • By using filters and search tools, you can focus on relevant log data to solve problems more efficiently.
© 2025 Neplearn