How to Check Logs on Ubuntu Server

Ubuntu Server, being a headless system, relies entirely on command-line tools to inspect logs. Logs are essential for troubleshooting boot issues, service failures, security events, performance problems, kernel errors, and application behavior.

Ubuntu uses two main logging systems side by side:

• Traditional text logs (via rsyslog) stored as plain files in /var/log/
• Binary systemd journal (via journald), queried with journalctl

Most modern Ubuntu Server setups (20.04 LTS and later, including 24.04 LTS and 26.04) use both, but journalctl is increasingly the preferred way for system-wide and service-specific logs.

1. Using journalctl – The Modern and Most Powerful Way

journalctl queries the systemd journal, which captures logs from the kernel, services, and user sessions in a structured, binary format. It supports powerful filtering, time ranges, and live tailing.

Run these commands as root or with sudo.

View all logs (oldest to newest):

sudo journalctl

• Use arrow keys / Page Up/Down to scroll
• Press q to quit
• Add | less if you prefer: sudo journalctl | less

Follow logs in real time (like tail -f):

sudo journalctl -f

Show logs only from the current boot:

sudo journalctl -b

Show logs from the previous boot (very useful for crash diagnosis):

sudo journalctl -b -1

Logs for a specific service/unit:

sudo journalctl -u nginx.service          # nginx web server
sudo journalctl -u ssh.service            # OpenSSH
sudo journalctl -u postgresql.service     # PostgreSQL
sudo journalctl -u docker.service         # Docker daemon

Combine filters – very common patterns:

# Errors only from current boot
sudo journalctl -b -p err

# SSH-related logs (authentication failures, connections)
sudo journalctl -u ssh OR "sshd"

# Kernel messages only
sudo journalctl -k

# Last 200 lines + follow
sudo journalctl -n 200 -f

# Since a specific time (examples)
sudo journalctl --since "2026-02-01 10:00:00"
sudo journalctl --since "yesterday"
sudo journalctl --since "2 hours ago"

# Output in JSON (useful for scripting)
sudo journalctl -o json-pretty -u nginx.service

Priority levels (-p flag):

• emerg, alert, crit, err, warning, notice, info, debug Example: sudo journalctl -p err -b → only errors from this boot

2. Checking Traditional Text Log Files in /var/log/

Even with journald, many services still write (or duplicate) logs to plain text files under /var/log/. These are rotated automatically by logrotate.

Common and useful log files on Ubuntu Server:

Quick ways to view text logs:

# Last 50 lines
sudo tail -n 50 /var/log/syslog

# Real-time monitoring
sudo tail -f /var/log/auth.log

# Search for errors
sudo grep -i error /var/log/syslog

# Search for a specific IP or string
sudo grep "Failed password" /var/log/auth.log

# Last 100 lines containing "sshd"
sudo tail -n 100 /var/log/auth.log | grep sshd

# View full file with scrolling
sudo less /var/log/syslog
# (inside less: /search-term to search, q to quit)

3. Quick Reference Cheat Sheet

• Service not starting? → sudo journalctl -u your-service.service -xe
• Login / security issue? → sudo tail -n 200 /var/log/auth.log
• Kernel panic or hardware fault? → sudo journalctl -k -b -1
• Everything since last reboot? → sudo journalctl -b
• Live debug a service → sudo journalctl -u service -f

Tips for Ubuntu Server Admins

• Always use sudo — normal users often can’t see system-wide journals or /var/log files.
• Install less if missing (sudo apt install less) — better pager than more.
• For persistent journal across reboots (default on Ubuntu Server): check /etc/systemd/journald.conf has Storage=persistent.
• Clean old logs if /var/log fills up: sudo journalctl –vacuum-time=2weeks or configure logrotate.
• For very large output, pipe to grep, less, or redirect: sudo journalctl -b > boot.log

Mastering these commands will let you diagnose almost any issue on Ubuntu Server quickly and efficiently. Start with journalctl for most modern troubleshooting—it’s fast, filterable, and covers everything systemd touches.