{ "slug": "linux_log_files", "term": "Linux Log Files", "category": "linux", "difficulty": "intermediate", "short": "Log locations, rotation, and analysis tools on Linux — /var/log/ structure, journald, logrotate, and essential log analysis commands.", "long": "Key log locations: /var/log/syslog or /var/log/messages (system events), /var/log/auth.log (authentication), /var/log/nginx/ (web server), /var/log/php/ (PHP errors), /var/log/mysql/ (database). journald stores logs in binary format — use journalctl to query. logrotate manages log rotation: compresses old logs, deletes aged logs, and signals services to reopen log files. Essential commands: tail -f (live follow), grep -i error, awk for field extraction, zcat/zgrep for compressed rotated logs.", "aliases": [ "syslog", "journald", "logrotate", "journalctl", "/var/log" ], "tags": [ "linux", "devops", "debugging", "observability" ], "misconception": "Application logs are automatically rotated — logrotate must be explicitly configured per application; PHP error logs and nginx access logs grow unboundedly without rotation config.", "why_it_matters": "A server with no log rotation fills its disk with logs, causing all applications to crash — and without log visibility, diagnosing incidents is impossible.", "common_mistakes": [ "PHP error_log pointing to a file without logrotate config — grows to gigabytes over months.", "Not configuring postrotate in logrotate to signal PHP-FPM to reopen logs — continues writing to the renamed file.", "Grepping uncompressed current log instead of all rotated logs — misses historical events.", "Not knowing journalctl --since 'yesterday' for time-filtered system logs." ], "when_to_use": [], "avoid_when": [], "related": [ "linux_file_system", "linux_processes", "structured_logging", "observability_pillars" ], "prerequisites": [ "structured_logging", "linux_file_permissions", "log_aggregation" ], "refs": [ "https://linux.die.net/man/8/logrotate" ], "bad_code": "# No logrotate for PHP app — log grows unbounded:\n; php.ini:\nerror_log = /var/log/php/app.log\n; 6 months later: app.log = 47GB\n; Server disk: 100% full\n; All services crash", "good_code": "# /etc/logrotate.d/php-app:\n/var/log/php/app.log {\n daily\n rotate 14 # Keep 14 days\n compress # gzip old logs\n delaycompress # Keep yesterday uncompressed for tail\n missingok\n notifempty\n create 0640 www-data adm\n postrotate\n # Signal PHP-FPM to reopen log file:\n /bin/kill -USR1 $(cat /run/php-fpm.pid 2>/dev/null) 2>/dev/null || true\n endscript\n}\n\n# Query recent errors:\njournalctl -u php-fpm --since '1 hour ago' | grep -i error\ngrep -r 'Fatal error' /var/log/php/", "quick_fix": "Configure logrotate for all PHP application log files — without rotation, logs fill the disk and cause PHP to stop logging silently or crash the server", "severity": "high", "effort": "low", "created": "2026-03-16", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/linux_log_files", "html_url": "https://codeclaritylab.com/glossary/linux_log_files", "json_url": "https://codeclaritylab.com/glossary/linux_log_files.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Linux Log Files](https://codeclaritylab.com/glossary/linux_log_files) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/linux_log_files" } } } }