Where Are Linux System Logs Stored? /var/log Explained (Ubuntu, RHEL)

On most Linux distributions system logs are stored under /var/log. On Ubuntu and Debian the general system log is /var/log/syslog and authentication events are in /var/log/auth.log. On RHEL, CentOS, Rocky, AlmaLinux, and Fedora the general log is /var/log/messages and authentication events are in /var/log/secure. Kernel messages are available via dmesg and (on systemd systems) through the binary journal at /var/log/journal, read with journalctl.

Quick Reference: Linux Log File Paths

The split exists because Debian and RHEL ship different default rsyslog rule sets. The log content is the same; only the file names differ.

How to View and Tail Linux Logs

Most files under /var/log are plain text and need root (or sudo) to read.

# Follow the main system log live (Ubuntu/Debian)
sudo tail -f /var/log/syslog

# Follow the main system log live (RHEL/CentOS)
sudo tail -f /var/log/messages

# Last 200 lines of authentication log (Debian/Ubuntu)
sudo tail -n 200 /var/log/auth.log

# Failed SSH logins (RHEL/CentOS)
sudo grep "Failed password" /var/log/secure

# Kernel ring buffer with human-readable timestamps
dmesg -T

# Search for a specific service across the system log
sudo grep -i "nginx" /var/log/syslog

On any systemd-based distro you can skip the text files entirely and query the journal:

journalctl              # everything, oldest first
journalctl -f           # follow live (like tail -f)
journalctl -b           # current boot only
journalctl -k           # kernel messages (equivalent to dmesg)
journalctl -p err       # priority "error" and above
journalctl -u sshd      # one unit's logs
journalctl --since "1 hour ago"

Who Writes These Files: rsyslog and the Journal

Two systems usually run in parallel:

• systemd-journald captures everything (stdout/stderr of every unit, kernel, syslog API) into its binary journal first.
• rsyslog (or syslog-ng) reads from the journal or /dev/log and writes the human-readable text files under /var/log.

The routing rules live in /etc/rsyslog.conf and /etc/rsyslog.d/*.conf. A rule maps a facility and priority to a file. For example, the default Debian rule for auth:

auth,authpriv.*    /var/log/auth.log

To change where a facility logs, edit the file path on the right side and restart rsyslog:

sudo systemctl restart rsyslog

To find which file a given facility currently goes to, grep the config:

grep -rE "/var/log" /etc/rsyslog.conf /etc/rsyslog.d/

If a distro only runs journald (no rsyslog installed at all), there will be no text files in /var/log for system messages — everything is in the journal. Check with systemctl status rsyslog.

Log Rotation

Text logs in /var/log are rotated by logrotate, run daily via cron or a systemd timer (logrotate.timer). Rules live in /etc/logrotate.conf and per-service files in /etc/logrotate.d/.

A typical rule keeps a few rotated, compressed copies:

/var/log/syslog {
    rotate 7
    daily
    compress
    delaycompress
    missingok
    notifempty
}

Rotated files appear as syslog.1, then syslog.2.gz, syslog.3.gz, and so on. To read a compressed rotation use zcat or zgrep:

sudo zgrep "Failed password" /var/log/auth.log.*.gz

Force a rotation manually (useful for testing):

sudo logrotate -f /etc/logrotate.d/rsyslog

The systemd journal does not use logrotate — it manages its own size (see the journald article for SystemMaxUse and journalctl --vacuum-size).

Common Errors You'll Find in Linux Logs

• Failed password for invalid user admin from 203.0.113.5 port 41122 ssh2 — an SSH brute-force attempt against a non-existent account; appears in auth.log/secure.
• Out of memory: Killed process 1234 (java) — the kernel OOM killer terminated a process; appears in dmesg/messages and indicates memory exhaustion.
• segfault at 0 ip ... sp ... error 4 in libc.so.6 — a process crashed with a segmentation fault; useful for pinpointing a faulty binary.
• error: kex_exchange_identification: Connection closed by remote host — SSH handshake aborted, often a port scanner or a misconfigured client.
• systemd[1]: Failed to start nginx.service — a unit failed to start; follow with journalctl -u nginx for the underlying cause.
• EXT4-fs error (device sda1): ext4_lookup: ... — a filesystem error in the kernel log; often a sign of disk corruption that warrants an fsck.

Troubleshooting: Logs Missing or Empty

• /var/log/syslog does not exist — You're on a RHEL-family distro; look in /var/log/messages instead, or your distro ships journald-only with no rsyslog.
• Files exist but stay empty — rsyslog may not be running. Check systemctl status rsyslog and restart it. Also confirm the facility rule in /etc/rsyslog.d/ matches what the service emits.
• Permission denied reading the file — These files are root-owned (often mode 640, group adm or root). Use sudo, or add your user to the adm group on Debian/Ubuntu.
• /var/log is full / disk at 100% — A runaway log can fill the partition, after which new entries silently drop. Check with du -sh /var/log/* and verify logrotate is running (systemctl status logrotate.timer).
• journalctl shows logs but text files are empty — Expected when rsyslog isn't installed. Either install/enable rsyslog or just use journalctl going forward.
• Timestamps look wrong — The journal stores UTC internally; journalctl displays in local time by default. Use journalctl --utc to compare against text logs that may be in a different zone.