Check the Captain's Log
Find out where Ubuntu logs important system information so you can track down the cause of startup and system errors.
When you use a system long enough, eventually you find you need to put on your detective hat. Maybe you've added a piece of hardware or plugged in a new device, and you aren't sure whether the system is recognizing it. Maybe you upgraded some software, and now it's not working quite right. Whatever the reason, when you want to track down what's really going on under the hood of your Ubuntu system, it's time to look through logs.
A normal desktop system generates a surprising amount of logs in a day, even if nothing is wrong. When you connect to a network, plug in a new device, log in, or do any number of things, the system generates logs. The majority of system logs reside in the /var/log directory. Some of these logs overlap; for instance, logs from daemons will show up both in the daemon.log and in syslog. Here are some of the main logs you will find under /var/log, along with their uses:
syslog -
syslog is the primary system log and contains log output from daemons and other programs running on the system, such as dhclient, cron, init, xscreensaver, and some kernel logs. This log is the first place to look when trying to track down general system errors.
dmesg -
This log traditionally lists all of the boot-time kernel logging for a system, along with any other kernel logs related to devices and module loading. Check here to see what sorts of devices the kernel detected at boot time, as well as to track down any errors the kernel might have had when loading a module.
kern.log -
Like
dmesg, this log contains kernel log output; however, it has the advantage of being timestamped.
Xorg.?.log -
The Xorg logs contain very detailed output from Xorg and are numbered according to which display it is running. The default Xorg session runs on display 0, so for the most part you would look through Xorg.0.log to trace down errors in Xorg.
messages -
This log contains some kernel log messages along with log output from certain system programs. For instance, gconfd and some other programs log here.
daemon.log -
Here, you will find the same daemon output that you would normally find in syslog, but without log output from kernels or other systems that log to syslog.
auth.log -
Inside
auth.log, you will find information about user authentication including every time a user logs in to the system or executes sudo.
mail.log -
If you use your system as an email server, this log will contain information about incoming and outgoing messages, along with any errors.
apache/ -
If you have installed the Apache web server on your system, /var/log/apache contains access_log, error_log, and all of the other primary Apache logs.
cups/ -
CUPS is the printing system for Ubuntu. This directory contains all of the different logs for the CUPS service, so look here to debug any issues with printing on the system.
gdm/ -
GDM is the graphical login manager for GNOME. If you notice any problems with the main login screen, look at the logs in this directory for clues.
View the Logs
Now that you have an idea where to look for information, there are a number of different methods you can use to actually look through the logs. Ubuntu provides a nice graphical tool for log viewing called the System Log Viewer. To start this program, click System System Log. The default window displays a sidebar to the left listing various system logs you have open and a main window listing the contents of the selected log. By default, the System Log Viewer lists only syslog, but you can click Log Figure).
A nice feature of the System Log Viewer is that it splits logs up according to date. Along the bottom-lefthand side of the window is a calendar with days displayed in bold if the current log contains entries for that day. Select a day from the calendar, and it will appear in the main window. You can also collapse a particular day from view in the main window by clicking the arrow next to the date.
You can also view logs the old-fashioned way from a terminal. The program less is a great, no-frills way to open up a logfile and page through it. Just type:
$ less /var/log/syslog
to open up the syslog (you can also replace that file with the path of the file you wish to open). You can use the arrow keys to navigate up and down the file, or you can hit G to scroll down to the very bottom of the file, or g to scroll to the top. To search within the logfile for a keyword, type / followed by the keyword to find. The keyword will be highlighted within the terminal, and you can type n to advance to the next match, or N to go back to the previous match. Hit F to have less continue to update the log as new lines are appended (a lot like running tail
-f on the file).
 |
Some people might be tempted to just use vi when opening logfiles; however, be warned that vi caches the entire file to disk when it opens it. This might not be a problem for small logfiles, but when you open a 2 GB Apache log, you might possibly fill up the remaining space on your disk! less does not cache the entire file like vi, so it is the safer choice for large logfiles.
|
|
grep is also a very useful tool for logs. grep accepts a pattern as an argument and will look for that pattern within a file. For instance:
$ grep dhclient /var/log/syslog
will return all of the log entries containing the word "dhclient". Grep is particularly useful for Xorg logs, as the warnings and errors in these logs are preceded by WW and EE, respectively. To grep out all of the warnings and errors from Xorg.0.log, type:
$ grep -E '(WW|EE)' /var/log/Xorg.0.log
Note that the -E option turned on extended regular expressions so that you could use a more advanced pattern.
 |
Some logfiles you want to view might be gzipped due to log rotation. In this case, use zless and zgrep just as you would less and grep, respectively.
|
|
 |
