If you really want to see what's happening beneath the hood of your Linux distribution, you need to use log files.
Log files. They're there for a reason -- to keep track of what goes on behind the velvet curtain of your operating system. When things go wrong, entries are added to those log files, so you can view them and troubleshoot what's happening. Even when something goes right, valuable information might be tacked onto the end of that log file, which can also be useful.
The thing is, Linux keeps a lot of log files. Some are useful to users, while others might not be so helpful. Many apps also install their own log files, so you can troubleshoot a single app.
Also: The first 5 Linux commands every new user should learn
But which log files should you pay attention to, and what are they for? Let's dive in and unpack this.
First, let's consider the four types of log files found on any given Linux system:
This log file saves general messages and information about your system. This file retains all activity across the system, which means it can be fairly dense and challenging to read. Because of that, I often use the grep command to search for specific keywords. For example, I might need to troubleshoot the CUPS printer server, so I could issue the command grep cups /var/log/syslog and see only those entries that include the word "cups." Syslog also saves all cron-related events, which are automated jobs that happen in the background.
Also: 5 Linux commands you need to know to troubleshoot problems
The syslog file is found in two different places, depending on your distribution. In Ubuntu-based distributions, that file is /var/log/syslog. In Fedora-based distributions, that file is /var/log/messages.
The boot.log file saves startup messages and boot information. If you need to troubleshoot anything related to your OS bootup, this is where you'll look. Keep in mind that this log file requires admin permissions to view, so you'll need to use sudo, like this:
Unless there's an issue, you'll find that file is often empty.
The faillog log file keeps track of all failed login attempts. The only caveat to this log is that it cannot be viewed with the usual commands (such as cat or less). Instead, you'll use the faillog command like so:
Faillog can also lock user accounts. For example, you want to lock the user account olivia for sixty minutes. To do that, you'd issue the command:
Faillog has a few other tricks up its sleeve, so make sure to read the man page with man faillog.
The auth.log and secure log files keep track of all authentication attempts (successful or failed) on your system. In these log files, you'll likely find a large number of entries for the root user; that's because auth.log and secure also track system logins, such as those for daemons and cron jobs, as well as jobs run with sudo. This is a great place to check for unauthorized access to your system or to determine if the root user is being used for malicious purposes.
If you ever need to view the history of the apt package manager, you'll find it in /var/log/apt/history.log. This file keeps a log of every action that occurs with the apt command (such as installations, updates, removals, etc). These entries will list what applications were installed, updated, or removed, who used the command, and when it was used.
If you use a Fedora-based distribution and want to check on what has been done via the dnf package manager, that file is /var/log/dnf.log and contains similar information to the Ubuntu-based /var/log/apt/history.log file.
Also: Do you need antivirus on Linux?
Within the /var/log directory, you'll also find sub-directories for various apps and services that are installed on the system, such as Apache, MySQL, Openvpn, Samba, CUPS, and more. And remember, there are several ways to view these log files, such as with cat, less, and tail.