List all open ‘.log’ files in *nix
There are times as a system administrator, you might not be sure of the log file paths of a new application. Depending on the system, there may be multiple ways to find the same. Please share the different ways we can get a list of open log files on a system.
@goldilocks — is there anyway we can identify these apps? I guess syslog would be a path that we could grep?
Syslog is a system service traditionally implemented by syslogd but more recently by rsyslogd and some other things. In any case, applications using this will log things via a system call; beyond reading the documentation, there would be no way to tell until they log something. If you do not understand what syslog is in a unix-like context and you are asking this kind of question, you had better do some catch up reading and research ASAP, because this is mission critical knowledge!
4 Answers 4
User X files
If you need to see just a single user’s open files:
Or only files with a text file descriptor (typically real files):
Example
All files in use by user saml .
$ lsof -usaml COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME vim 1341 saml cwd DIR 253,2 4096 10370078 /home/saml/mp3s vim 1341 saml rtd DIR 253,0 4096 2 / vim 1341 saml txt REG 253,0 2105272 1215334 /usr/bin/vim vim 1341 saml mem REG 253,0 237616 393586 /lib64/libgssapi_krb5.so.2.2 Only files using a text descriptor and are owned by user saml .
$ lsof -a -usaml -d txt Output information may be incomplete. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME vim 1341 saml txt REG 253,0 2105272 1215334 /usr/bin/vim bash 1468 saml txt REG 253,0 940312 2490450 /bin/bash gvfsd-htt 1777 saml txt REG 253,0 179528 1209465 /usr/libexec/gvfsd-http gnome-key 2051 saml txt REG 253,0 953664 1214068 /usr/bin/gnome-keyring-daemon . lsof as root
Typically though you’ll want to run lsof with elevated privileges so you can see all the files on a system owned by an Apache process or root, for example.
You can also use lsof backwards and find out what process opened a particular file.
$ sudo lsof /var/log/messages Output information may be incomplete. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 1266 root 4w REG 253,0 372306 1973825 /var/log/messages lsof as top
You can also use lsof similarly to top where it will poll every number of seconds and show you what’s going on on your system.
$ sudo lsof -u saml -c sleep -a -r5 Example
The -c . argument only shows processes with the string . in their name. Here I’m using the command sleep to show this. I run the lsof command which polls every 5 seconds, and shows any files opened by any processes with the string sleep in them. I then ran sleep 5 in another terminal.
$ sudo lsof -u saml -c sleep -a -r5 Output information may be incomplete. ======= ======= ======= ======= COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sleep 10780 saml cwd DIR 253,2 32768 10354689 /home/saml sleep 10780 saml rtd DIR 253,0 4096 2 / sleep 10780 saml txt REG 253,0 27912 2490470 /bin/sleep sleep 10780 saml mem REG 253,0 151456 393578 /lib64/ld-2.13.so sleep 10780 saml mem REG 253,0 1956608 393664 /lib64/libc-2.13.so sleep 10780 saml mem REG 253,0 99158752 1209621 /usr/lib/locale/locale-archive sleep 10780 saml 0u CHR 136,59 0t0 62 /dev/pts/59 sleep 10780 saml 1u CHR 136,59 0t0 62 /dev/pts/59 sleep 10780 saml 2u CHR 136,59 0t0 62 /dev/pts/59 ======= ======= ======= ======= log files
You can use lsof to find log files by simply grepping any of the above output for the names of the log files that you’re interested in seeing what’s going on with.
$ lsof . | grep "log file name" How to View System Log Files in Linux
This article will explain how to view various log files scattered throughout the Linux file system. Log files are useful for finding out system anomalies and can help in developing fixes for them. All the commands listed below are tested in Ubuntu 20.04 LTS version, but they should work in other Linux distributions as well. In case you are not able to find certain log files, you can use the “Locate” command, which can be installed in your system through the package manager.
GNOME Logs
GNOME Logs is a graphical log viewer shipped by default in most GNOME Shell based Linux distributions. It shows all logs generated for systemd journals. Systemd manages all services running on your system and it is responsible for starting, stopping and monitoring various services that are launched at boot. GNOME Logs neatly categorises logs in various headings and you can export these logs to text files. It also allows you to search and refine log messages using various filters.
To install GNOME Logs in Ubuntu, run the command below:
You can install GNOME Logs in other Linux distributions by searching for it in the package manager shipped with your distribution. Alternatively, you can compile it from source code.
Linux Kernel Logs
To view kernel logs in terminal, run the command below:
You can also open the log file in any text editor of your choice. The screenshot above shows the usage of “tail” command after the pipe symbol. It ensures that only the last few lines are shown as the output (two lines in this case).
To view kernel logs for previous boot, run the command below:
X11 Logs
Logs for X11 Xorg display server can be found at two locations depending on your Linux distribution. The logs can be located at either “/var/log/” or “$HOME/.local/share/xorg/” directories. You can find correct location of Xorg log files by running the command below:
The “0” part in the file name denotes identification number for the connected monitor. If you have only one display connected to your system, the file name should be “Xorg.0.log”. In case of multi-monitor setups, multiple log files will be recorded, one for each monitor. For instance, in multi-monitor setups, file names could be “Xorg.0.log”, “Xorg.1.log” and so on.
To view these logs using “less” command, use the following command:
“Less” command shortens terminal output and allows you to interactively navigate to the next line of the terminal output using key.
Dmesg
Dmesg prints kernel log messages or “ring buffer” of the Linux kernel. It is used to examine and debug all the output generated by the kernel, especially messages related to connected hardware and their drivers.
Run the following commands to view dmesg log:
You can check all command line arguments for dmesg by running the following command in a terminal:
Boot Messages
To view boot messages log, run the command below:
To view logs for previous boot, run the command below:
System Logs
System log files record a variety of messages useful for debugging. If you cannot find certain log messages in other files, chances are that they could be in syslog files.
To view current and previous syslog files respectively, run the following commands:
Authorization Logs
Authorization Logs or simply “Auth” logs record remote login attempts and password prompts requested by sudo command. To view these logs, use the following commands:
Login Logs
“Faillog” records failed login attempts while “Lastlog” shows information about last login. Run the following commands to see login records:
Third Party Application Logs
User installed third party applications do not have root access. In case they are recording any logs, they should be in the directory of the executable file or at the following locations:
Conclusion
Examining various log files can help in debugging system freeze and crash issues, especially when new and unsupported hardware is present in the PC. These log files are also useful for finding out security breaches or security loopholes if there are any. If you are getting unexpected behavior from software installed on your system or frequent reboots and crashes, the first thing you should do is to examine various system log files.
About the author
Nitesh Kumar
I am a freelancer software developer and content writer who loves Linux, open source software and the free software community.