CIS120
Linux Fundamentals
Logs & Where They Live
Logs explain what the system did and what went wrong. Even if you cannot read every file in /var/log, you can usually still use journalctl (systemd’s journal) to inspect many important events.
Look at example log output (files)
If you need something repeatable (instead of depending on what your machine logged today), use the simulated journal files in ~/playground/chapter9.
Practical Examples
# Go to the practice folder
cd ~/playground/chapter9
# Find only the “ERROR” lines
sed -n '/ERROR/p' journal_after.txt
# See what changed overall (useful for “why now?” questions)
diff -u journal_before.txt journal_after.txtTwo Common Log Sources
- systemd journal accessed via
journalctl(often more accessible) - log files on disk under
/var/log/(permissions vary)
Quick Reference
| Goal | Try This |
|---|---|
| List recent boot sessions | journalctl --list-boots |
| Read logs for the current boot | journalctl -b |
| Look at available log files | ls /var/log |
| Spot check a classic log file (may fail) | less /var/log/messages |
What You Might See (examples)
Depending on permissions, you may see:
Permission deniedwhen opening restricted files (common)- Readable output from
journalctleven when some/var/logfiles are blocked - Relevant errors like missing configs, service crashes, or disk-full warnings
Practical Examples
# List boot sessions
journalctl --list-boots
# Read current boot logs (may be long)
journalctl -b
# View classic log files folder
ls /var/log
# Try one file that might or might not be readable
less /var/log/secure 2>/dev/null || echo "Can't read /var/log/secure"Remember: “Permission denied” is data
If a particular log file is blocked, switch to journalctl and filter by service/time. That is usually the fastest path in a no-sudo classroom.