Logs
Notes for checking logs on RHEL/Linux systems.
Use this page when a service is failing, a server behaves strangely, or I need to understand what happened.
Main log tools and locations
Common places/tools:
journalctl
/var/log/messages
/var/log/secure
/var/log/cron
/var/log/dmesg
dmesg
On modern RHEL systems, journalctl is usually the first place to check.
journalctl basics
Show recent important logs
journalctl -xe
Use this when something failed and I want recent errors with extra explanation.
Show logs from current boot
journalctl -b
Show logs from previous boot
journalctl -b -1
Useful after a reboot or crash.
Show available boots
journalctl --list-boots
Show newest logs first
journalctl -r
Follow logs live
journalctl -f
Service logs
Show logs for one service
journalctl -u SERVICE_NAME
Example:
journalctl -u sshd
Show latest logs for one service
journalctl -u SERVICE_NAME -n 100
Follow service logs live
journalctl -u SERVICE_NAME -f
Show service logs from current boot
journalctl -u SERVICE_NAME -b
Show service logs with timestamps
journalctl -u SERVICE_NAME --no-pager
Time-based log checks
Logs since a specific time
journalctl --since "2026-06-10 08:00"
Logs from the last hour
journalctl --since "1 hour ago"
Logs between two times
journalctl --since "2026-06-10 08:00" --until "2026-06-10 09:00"
Service logs from the last 30 minutes
journalctl -u SERVICE_NAME --since "30 minutes ago"
Error filtering
Show only errors and worse
journalctl -p err
Show errors from current boot
journalctl -p err -b
Show warnings and worse
journalctl -p warning
Service errors only
journalctl -u SERVICE_NAME -p err
/var/log/messages
On RHEL, /var/log/messages is often very useful.
Show last 100 lines
sudo tail -n 100 /var/log/messages
Follow live
sudo tail -f /var/log/messages
Search in messages
sudo grep "search_text" /var/log/messages
Example:
sudo grep -i "error" /var/log/messages
Search compressed/rotated logs
sudo zgrep -i "error" /var/log/messages-*
Authentication and security logs
Check secure log
sudo tail -n 100 /var/log/secure
Search failed login attempts
sudo grep -i "failed" /var/log/secure
Show recent successful and failed logins
last
sudo lastb
Kernel and boot logs
Show kernel ring buffer
dmesg
Human-readable timestamps
dmesg -T
Search kernel errors
dmesg -T | grep -i error
Search disk-related kernel messages
dmesg -T | grep -Ei "disk|sda|nvme|xfs|ext4|io error"
Cron logs
Depending on the system, cron logs may appear in /var/log/cron or in journald.
Check cron log file
sudo tail -n 100 /var/log/cron
Follow cron logs
sudo tail -f /var/log/cron
Cron logs through journalctl
journalctl -u crond
Useful grep patterns
Case-insensitive search
grep -i "error" file.log
Show line numbers
grep -n "error" file.log
Search multiple words
grep -Ei "error|failed|timeout|denied" file.log
Search recursively
grep -R "search_text" /path
Search recursively, case-insensitive
grep -Ri "search_text" /path
Log troubleshooting checklist
When checking logs, ask:
1. What exact time did the problem happen?
2. Which service or application failed?
3. Was there a reboot?
4. Did the error happen once or repeatedly?
5. Are there disk, memory, network, or permission errors?
6. Are there authentication or sudo errors?
7. Is the problem visible in journalctl, /var/log/messages, or application logs?
8. Did something change before the issue started?
First commands when something is broken
date
hostnamectl
uptime
systemctl --failed
journalctl -xe
journalctl -p err -b
sudo tail -n 100 /var/log/messages
dmesg -T | tail -n 100
Service-specific investigation template
Replace SERVICE_NAME with the real service name.
systemctl status SERVICE_NAME
journalctl -u SERVICE_NAME -n 100
journalctl -u SERVICE_NAME --since "1 hour ago"
journalctl -u SERVICE_NAME -p err
Safe notes
Do not paste real production logs with:
real hostnames
real IP addresses
customer names
usernames
tokens
passwords
internal URLs
ticket numbers
Sanitize examples before saving them here.
Personal notes
Add examples and patterns I discover during work.