Your VPS is experiencing issues: slow performance, mysterious errors, failed logins, or unexpected behavior. The answers you need are almost always hiding in your log files - you just need to know where to look and what to look for.
Log files are your server's diary, recording every significant event, error, warning, and transaction. They're essential for troubleshooting, security monitoring, performance optimization, and compliance. Yet most VPS administrators don't know where logs are stored or how to effectively read them.
This comprehensive guide will teach you everything about VPS log files: their locations, how to read them efficiently, troubleshooting techniques, log management, and best practices.
Why Logs Matter:
Professional system administrators spend 40-60% of troubleshooting time analyzing logs. Learning to read logs effectively will 10x your troubleshooting speed and make you a better server administrator.
Linux Log File System Basics
On Linux systems (Ubuntu, Debian, CentOS, RHEL), most log files are stored in /var/log/. This directory is the central repository for system and application logs.
The /var/log Directory Structure
ls -lh /var/log/You'll see many log files and directories. Here's what matters most:
Essential System Log Files
1. /var/log/syslog (Ubuntu/Debian) or /var/log/messages (CentOS/RHEL)
What it contains: General system activity, kernel messages, service starts/stops
When to check: System crashes, boot issues, general system problems
# View the last 50 lines
tail -n 50 /var/log/syslog
# Follow log in real-time
tail -f /var/log/syslog
# Search for specific error
grep -i "error" /var/log/syslog2. /var/log/auth.log (Ubuntu/Debian) or /var/log/secure (CentOS/RHEL)
What it contains: Authentication attempts, sudo commands, SSH logins
When to check: Security incidents, failed login attempts, unauthorized access
# View recent authentication events
tail -n 100 /var/log/auth.log
# Find failed SSH login attempts
grep "Failed password" /var/log/auth.log
# Find successful SSH logins
grep "Accepted password" /var/log/auth.log
# Check who used sudo
grep "sudo" /var/log/auth.log
Security Alert:
If you see hundreds of failed login attempts from unknown IPs, your server is under brute-force attack. Take immediate action: install Fail2ban, use SSH keys, change default SSH port.
3. /var/log/kern.log
What it contains: Kernel messages, hardware issues, driver problems
When to check: Hardware errors, kernel panics, driver issues
tail -f /var/log/kern.log
# Check for out-of-memory errors
grep -i "out of memory" /var/log/kern.log
# Check for disk errors
grep -i "I/O error" /var/log/kern.log4. /var/log/dmesg
What it contains: Boot messages, hardware detection
When to check: Boot problems, hardware not recognized
# View boot messages
dmesg | less
# View with human-readable timestamps
dmesg -T
# Check for errors
dmesg | grep -i errorWeb Server Log Files
Nginx Logs
Default locations:
- Access log:
/var/log/nginx/access.log - Error log:
/var/log/nginx/error.log - Site-specific:
/var/log/nginx/yourdomain.com-access.log
Reading Nginx Access Log
Access log format (default):
192.168.1.100 - - [18/Jan/2025:10:30:45 +0000] "GET /index.php HTTP/1.1" 200 5432 "https://example.com" "Mozilla/5.0..."Breaking it down:
- 192.168.1.100 - Visitor's IP address
- [18/Jan/2025:10:30:45 +0000] - Timestamp
- "GET /index.php HTTP/1.1" - HTTP method, requested file, protocol
- 200 - HTTP status code (200 = success)
- 5432 - Response size in bytes
- "https://example.com" - Referrer
- "Mozilla/5.0..." - User agent (browser)
Common Nginx Troubleshooting Commands
# Find 404 errors
grep " 404 " /var/log/nginx/access.log
# Find 500 errors (server errors)
grep " 500 " /var/log/nginx/access.log
# Top 10 most visited pages
awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -10
# Top 10 IP addresses
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -10
# Check error log for PHP errors
tail -f /var/log/nginx/error.log
# Find slow requests
grep "upstream timed out" /var/log/nginx/error.logApache Logs
Default locations:
- Access log:
/var/log/apache2/access.log(Debian/Ubuntu) - Error log:
/var/log/apache2/error.log - RHEL/CentOS:
/var/log/httpd/
# Monitor Apache errors in real-time
tail -f /var/log/apache2/error.log
# Find PHP fatal errors
grep "PHP Fatal error" /var/log/apache2/error.log
# Check access log for specific IP
grep "192.168.1.100" /var/log/apache2/access.logDatabase Log Files
MySQL/MariaDB Logs
Error log location (check your my.cnf):
# Usually at:
/var/log/mysql/error.log
# View MySQL errors
sudo tail -f /var/log/mysql/error.log
# Check MySQL configuration for log location
sudo grep "log_error" /etc/mysql/my.cnfEnable MySQL Slow Query Log
Essential for performance troubleshooting:
# Edit MySQL config
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
# Add these lines:
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow-query.log
long_query_time = 2 # Log queries taking longer than 2 seconds
# Restart MySQL
sudo systemctl restart mysql
# Monitor slow queries
tail -f /var/log/mysql/slow-query.logPostgreSQL Logs
# Default location
/var/log/postgresql/postgresql-15-main.log
# View PostgreSQL logs
sudo tail -f /var/log/postgresql/postgresql-15-main.logApplication-Specific Logs
PHP Logs
Location depends on configuration:
# Check PHP error log location
php -i | grep error_log
# Common locations:
/var/log/php-fpm/error.log
/var/log/php8.3-fpm.log
# For WordPress (if WP_DEBUG is enabled):
/var/www/yourdomain.com/wp-content/debug.logSSH Logs
SSH logs are in /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS):
# Monitor SSH connections in real-time
sudo tail -f /var/log/auth.log | grep sshd
# Find failed SSH login attempts
grep "Failed password" /var/log/auth.log | tail -20
# Find successful SSH logins
grep "Accepted" /var/log/auth.log | tail -20
# Find all login attempts from a specific IP
grep "192.168.1.100" /var/log/auth.logFirewall Logs (UFW)
# UFW logs are in syslog with [UFW] prefix
sudo grep UFW /var/log/syslog
# View recent blocked connections
sudo grep "UFW BLOCK" /var/log/syslog | tail -20Advanced Log Reading Techniques
Using journalctl (systemd systems)
Modern Linux distributions use systemd, which provides journalctl - a powerful tool for querying logs:
# View all logs
journalctl
# View logs for specific service
journalctl -u nginx.service
journalctl -u mysql.service
# Follow logs in real-time
journalctl -u nginx -f
# Show logs since last boot
journalctl -b
# Show logs from last hour
journalctl --since "1 hour ago"
# Show logs from specific date
journalctl --since "2025-01-18 10:00:00"
# Show only errors
journalctl -p err
# Combine filters
journalctl -u nginx -p err --since "1 hour ago"Power Tools for Log Analysis
1. grep - Search for Patterns
# Case-insensitive search
grep -i "error" /var/log/syslog
# Show 5 lines before and after match
grep -C 5 "error" /var/log/syslog
# Search multiple files
grep "error" /var/log/nginx/*.log
# Count occurrences
grep -c "404" /var/log/nginx/access.log
# Invert match (show lines NOT containing pattern)
grep -v "200" /var/log/nginx/access.log2. awk - Extract Specific Fields
# Extract IP addresses from access log
awk '{print $1}' /var/log/nginx/access.log
# Extract requested URLs
awk '{print $7}' /var/log/nginx/access.log
# Extract status codes
awk '{print $9}' /var/log/nginx/access.log
# Count requests by status code
awk '{print $9}' /var/log/nginx/access.log | sort | uniq -c3. tail & head
# View last 100 lines
tail -n 100 /var/log/syslog
# Follow log in real-time
tail -f /var/log/nginx/error.log
# View first 50 lines
head -n 50 /var/log/syslog4. less - Navigate Large Log Files
# Open log file with less
less /var/log/syslog
# Keyboard shortcuts in less:
# Space - Page down
# b - Page up
# / - Search forward
# ? - Search backward
# n - Next search result
# G - Jump to end
# g - Jump to beginning
# q - QuitLog Management Without Terminal Complexity
Analyzing logs with command-line tools is powerful but time-consuming. VPS Commander provides a user-friendly interface to view, search, and monitor all your VPS logs in real-time - no terminal commands required. Get instant alerts for errors and visualize log patterns with intuitive dashboards.
Try VPS Commander - Starting at $2.99/monthTroubleshooting with Logs: Common Scenarios
Scenario 1: Website is Slow
# Check Nginx for slow requests
grep "upstream timed out" /var/log/nginx/error.log
# Check MySQL slow query log
tail -50 /var/log/mysql/slow-query.log
# Check system load
grep "load average" /var/log/syslog
# Check for out-of-memory errors
grep -i "out of memory" /var/log/syslogScenario 2: Cannot Connect to Server
# Check SSH service status
systemctl status sshd
# Check SSH logs for connection issues
grep "sshd" /var/log/auth.log | tail -20
# Check firewall logs
grep "UFW BLOCK" /var/log/syslog | tail -20
# Check if port is listening
ss -tlnp | grep :22Scenario 3: Website Returns 502 Bad Gateway
# Check Nginx error log
tail -50 /var/log/nginx/error.log
# Check PHP-FPM status
systemctl status php8.3-fpm
# Check PHP-FPM error log
tail -50 /var/log/php8.3-fpm.log
# Check if PHP-FPM socket exists
ls -la /var/run/php/php8.3-fpm.sockScenario 4: Potential Security Breach
# Check failed SSH login attempts
grep "Failed password" /var/log/auth.log | wc -l
# Find IPs with most failed attempts
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn
# Check successful logins from unusual IPs
grep "Accepted password" /var/log/auth.log
# Check sudo usage
grep "sudo" /var/log/auth.log
# Check new user accounts created
grep "useradd" /var/log/auth.logLog Rotation and Management
Logs can grow enormous and fill your disk. Linux uses logrotate to manage log sizes automatically.
Check Logrotate Configuration
# Main config
cat /etc/logrotate.conf
# Service-specific configs
ls -la /etc/logrotate.d/
# Nginx logrotate config
cat /etc/logrotate.d/nginxExample Logrotate Configuration
/var/log/nginx/*.log {
daily # Rotate daily
missingok # Don't error if log file is missing
rotate 14 # Keep 14 days of logs
compress # Compress old logs
delaycompress # Don't compress the most recent log
notifempty # Don't rotate if log is empty
create 0640 www-data adm
sharedscripts
postrotate
[ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
endscript
}
Manually Trigger Log Rotation
# Force log rotation
sudo logrotate -f /etc/logrotate.conf
# Test logrotate config
sudo logrotate -d /etc/logrotate.confMonitor Log File Sizes
# Check /var/log directory size
du -sh /var/log/
# Show largest log files
du -h /var/log/* | sort -rh | head -10
# Find logs larger than 100MB
find /var/log -type f -size +100M -exec ls -lh {} \;Log Monitoring and Alerting
Simple Email Alert Script
#!/bin/bash
# Save as /usr/local/bin/log-alert.sh
LOG_FILE="/var/log/nginx/error.log"
KEYWORD="error"
EMAIL="your@email.com"
LAST_CHECK_FILE="/var/tmp/log-alert-lastcheck"
# Get timestamp of last check
if [ -f "$LAST_CHECK_FILE" ]; then
LAST_CHECK=$(cat $LAST_CHECK_FILE)
else
LAST_CHECK=$(date +%s -d "1 hour ago")
fi
# Find new errors since last check
NEW_ERRORS=$(find $LOG_FILE -newermt "@$LAST_CHECK" -exec grep -i "$KEYWORD" {} \;)
if [ ! -z "$NEW_ERRORS" ]; then
echo "$NEW_ERRORS" | mail -s "New Errors Detected on Server" $EMAIL
fi
# Update last check timestamp
date +%s > $LAST_CHECK_FILE
chmod +x /usr/local/bin/log-alert.sh
# Run every hour via cron
crontab -e
# Add:
0 * * * * /usr/local/bin/log-alert.shProfessional Log Monitoring Tools
1. GoAccess (Real-time Web Log Analyzer)
# Install
sudo apt install goaccess -y
# Analyze Nginx logs in real-time
goaccess /var/log/nginx/access.log -o /var/www/html/report.html --log-format=COMBINED --real-time-html
# Access report at: http://your-server-ip/report.html2. Logwatch (Daily Log Summary)
# Install
sudo apt install logwatch -y
# Generate and email daily report
sudo logwatch --output mail --mailto your@email.com --detail high3. ELK Stack (Enterprise Solution)
Elasticsearch, Logstash, Kibana - industry standard for centralized log management. Best for managing multiple servers.
Log Security Best Practices
- Restrict log file permissions:
sudo chmod 640 /var/log/auth.log sudo chown root:adm /var/log/auth.log - Enable remote logging: Send logs to a separate server so attackers can't delete evidence
- Monitor log integrity: Use tools like AIDE or Tripwire to detect tampering
- Encrypt logs: Especially if containing sensitive data
- Retain logs for compliance: Many regulations require 90-365 days of log retention
Quick Reference: Essential Log Locations
| Log Type | Location |
|---|---|
| System (Ubuntu/Debian) | /var/log/syslog |
| System (RHEL/CentOS) | /var/log/messages |
| Authentication | /var/log/auth.log or /var/log/secure |
| Nginx Access | /var/log/nginx/access.log |
| Nginx Error | /var/log/nginx/error.log |
| Apache Access | /var/log/apache2/access.log |
| Apache Error | /var/log/apache2/error.log |
| MySQL | /var/log/mysql/error.log |
| PHP-FPM | /var/log/php-fpm/error.log |
| Kernel | /var/log/kern.log |
Conclusion
Log files are your most powerful tool for understanding what's happening on your VPS. They're essential for troubleshooting, security monitoring, performance optimization, and maintaining a healthy server.
Master these fundamentals:
- Know where key log files are located (
/var/log/) - Use
tail -fto monitor logs in real-time - Combine
grep,awk, andsortfor powerful analysis - Set up log rotation to manage disk space
- Implement monitoring and alerting for critical errors
Practice Exercise:
1. Find all 404 errors in your web server logs from the last 24 hours
2. Identify the top 5 IP addresses accessing your server
3. Check for any failed SSH login attempts
4. Verify your logs are being rotated properly
The more comfortable you become with logs, the faster you'll solve problems.
1. Find all 404 errors in your web server logs from the last 24 hours
2. Identify the top 5 IP addresses accessing your server
3. Check for any failed SSH login attempts
4. Verify your logs are being rotated properly
The more comfortable you become with logs, the faster you'll solve problems.