System logs and the systemd journal

A server’s system log contains entries created by the Linux kernel as well as entries created by the service manager that is responsible for starting, stopping, and restarting services. Additionally, many services record their own log entries in the system log.

The service manager, systemd, also stores a copy of the system logs in a searchable journal. The journalctl command can be used to view entries from the journal.

View the logs

A server’s system logs can be viewed from within the ServerPilot dashboard or through SSH.

Log file location

The server’s system log is located at:

/var/log/syslog

Log file format

The format of each entry in the system log is:

DATE_TIME HOSTNAME COMPONENT: LOG_MESSAGE

The following example shows a log entry generated by the kernel when a server ran out of memory which forced the kernel to kill a running process.

Mar  6 15:22:54 example-server kernel: [7789725.546207] Out of memory: Killed process 1716753 (php-fpm) total-vm:343080kB, anon-rss:78048kB, file-rss:12kB, shmem-rss:8332kB, UID:1025 pgtables:428kB oom_score_adj:1000

Field	Description
DATE_TIME	The date and time of the log entry.
HOSTNAME	The server’s hostname.
COMPONENT	The component that generated the log entry. For entries created by non-kernel components, the process ID that generated the log message is included in brackets (for example, systemd[1] or CRON[2545]).
LOG_MESSAGE	The log message content.

Example commands

You must be logged in as root to view the system log.

View recent system log entries

Show the most recent 100 lines in the system log.

tail -n 100 /var/log/syslog

Search the system log

Search the current week’s system log for “Out of memory” messages.

grep "Out of memory" /var/log/syslog

Use journalctl to view the system log

Note

The journalctl command is not available on Ubuntu 14.04.

Note

If the log entries shown by journalctl will not fit in your SSH window, the output will be shown using the text viewer less as a pager (a utility for viewing multi-page text). To exit less, press the q key.

If you do not want journalctl to use a pager, add the --no-pager flag. For example:

journalctl --no-pager -n 100

Show the most recent 100 entries from the journal.

journalctl -n 100

Show entries from a particular service.

journalctl -u mysql

Show messages in a range of priorities. Priority values can be emerg, alert, crit, err, warning, notice, info, or debug.

journalctl -p err..emerg

Show entries from the current day.

journalctl --since="today"

Show entries from the last two hours.

journalctl --since="2 hours ago"

Show entries within a range of days.

journalctl --since="2025-03-01" --until="2025-03-05"

Combine options.

journalctl --since="today" -u ssh -n 100