Home / Blog / Search Logs for Errors on Linux: grep, journalctl, tail and awk

Search Logs for Errors on Linux banner showing grep tail and journalctl commands

Search Logs for Errors on Linux

When something breaks on a Linux server, the answer is often already written in a log file. The trick is knowing which log to check and how to search it quickly.

This guide shows practical commands for searching Linux logs for errors using grep, tail, journalctl and zgrep, with examples for web servers, PHP, MySQL, cPanel domlogs and system logs.

greptailjournalctlzgrepApachePHP
Quick answer: start with grep -Ei "error|warning|failed|fatal" logfile for existing logs, tail -f logfile to watch a log live, and journalctl -p err -b for systemd service errors from the current boot.

Common Linux log locations

Log locations vary depending on the distribution and services installed, but these are common places to start:

Log typeCommon locationUseful for
System messages/var/log/messages or /var/log/syslogGeneral system activity and service messages.
Authentication/var/log/secure or /var/log/auth.logSSH logins, failed authentication and sudo activity.
Apache error log/usr/local/apache/logs/error_log, /var/log/apache2/error.log, /var/log/httpd/error_logApache errors, permission issues and web server problems.
Nginx error log/var/log/nginx/error.logNginx proxy, upstream and web server errors.
PHP error log/home/user/public_html/error_log or PHP-FPM logsPHP warnings, fatal errors and application issues.
cPanel domlogs/usr/local/apache/domlogs/domain-ssl_logRequests, status codes, user agents and traffic patterns.

Search a log file with grep

grep is usually the first command to reach for when searching logs. Use -E for multiple patterns and -i to ignore case.

grep -Ei "error|warning|failed|fatal|exception" app.log
Example output showing grep searching Linux logs for errors and warnings
Use grep -Ei to catch common error words without worrying about capitalisation.

Related: Grep Command Builder, Grep Cheat Sheet, Advanced Grep Techniques.

Watch logs live with tail -f

If you are reproducing an issue, use tail -f to watch new log lines as they appear.

tail -f /usr/local/apache/logs/error_log
tail -f /home/username/public_html/error_log
tail -f /var/log/messages
Example output showing tail -f watching an Apache error log live
tail -f is useful when you want to trigger an issue and immediately see what the server logs.

Search compressed logs with zgrep

Older logs are often compressed as .gz files. Use zgrep to search them without extracting first.

zgrep -i "error" error_log.gz
zgrep " 500 " access.log.gz
zgrep -Ei "fatal|warning|failed" *.gz

Tip

Searching compressed logs directly is often safer than extracting large archives and accidentally filling the disk. The server will not thank you for turning a log investigation into a storage incident.

Use journalctl for systemd service errors

On many modern Linux systems, journalctl is the best way to inspect service and system logs.

journalctl -p err -b
journalctl -u nginx --since "1 hour ago"
journalctl -u php-fpm --no-pager -n 100
Example output showing journalctl checking Linux system errors
journalctl -p err -b shows errors from the current boot.

Search Apache and Nginx logs

Apache error log

grep -Ei "error|warn|failed|fatal" /usr/local/apache/logs/error_log
tail -f /usr/local/apache/logs/error_log

Nginx error log

grep -Ei "error|warn|failed|upstream" /var/log/nginx/error.log
tail -f /var/log/nginx/error.log

If you are using cPanel, the cPanel Domlog Guide explains access logs and domain-specific traffic analysis in more detail.

Search PHP error logs

PHP errors are often logged inside the website directory or in PHP-FPM logs depending on the server setup.

grep -Ei "fatal|parse error|warning|notice" /home/username/public_html/error_log
tail -100 /home/username/public_html/error_log

For WordPress sites, PHP errors may point to a plugin, theme or custom code issue. The WordPress CLI Getting Started and WP-CLI Cheat Sheet articles are useful next reads.

Search cPanel domlogs for status codes

Domlogs are access logs, so they are excellent for checking requests and HTTP status codes.

Find 500 requests

grep " 500 " /usr/local/apache/domlogs/example.com-ssl_log

Find 404 requests

grep " 404 " /usr/local/apache/domlogs/example.com-ssl_log

Top IPs

awk '{print $1}' /usr/local/apache/domlogs/example.com-ssl_log | sort | uniq -c | sort -nr | head

Status code totals

awk '{print $9}' /usr/local/apache/domlogs/example.com-ssl_log | sort | uniq -c | sort -nr

Useful error search patterns

GoalCommand
Common error wordsgrep -Ei "error|warning|failed|fatal|exception" file.log
PHP fatal errorsgrep -i "PHP Fatal error" error_log
HTTP 500sgrep " 500 " access.log
Failed SSH loginsgrep -i "failed password" /var/log/secure
Recent service errorsjournalctl -p err -b
Compressed logszgrep -i "error" error_log.gz

Practical troubleshooting workflow

A sensible workflow looks like this:

  1. Identify the service or site affected.
  2. Check the most relevant recent log with tail.
  3. Search for broad terms with grep -Ei.
  4. Use context with grep -C if the matching line needs surrounding detail.
  5. Check compressed logs with zgrep if the issue happened earlier.
  6. Use journalctl for service-level or system-level errors.

For a broader troubleshooting command list, see Top 10 Linux Commands for Troubleshooting Websites.

Common mistakes when searching logs

  • Checking the wrong log: access logs and error logs answer different questions.
  • Forgetting case-insensitive search: use -i for logs.
  • Only checking live logs: older compressed logs may contain the answer.
  • Ignoring timestamps: search around the time the issue happened.
  • Reading one line in isolation: use context when needed.
  • Assuming all warnings are urgent: not every warning is the cause of the current issue.

FAQ

How do I search Linux logs for errors?

grep -Ei "error|warning|failed|fatal" /path/to/logfile

How do I watch a log file live?

tail -f /path/to/logfile

How do I search compressed logs?

zgrep -i "error" logfile.gz

How do I check system errors with journalctl?

journalctl -p err -b

Where are Apache error logs on Linux?

Common locations include /usr/local/apache/logs/error_log, /var/log/apache2/error.log and /var/log/httpd/error_log.

Related tools and guides

Grep Command Builder Grep Cheat Sheet Advanced Grep Techniques cPanel Domlog Guide AWK Cheat Sheet Top 10 Linux Commands for Troubleshooting Websites Linux Command Quizzes All Cheat Sheets

External references

Workflow

A useful log search workflow

# Start broad
grep -RiE "error|warning|failed|fatal|timeout" /var/log 2>/dev/null

# Narrow to one service
journalctl -u nginx -n 100 --no-pager

# Follow a log live
tail -f /var/log/messages

# Count repeated messages
grep -i "failed" app.log | sort | uniq -c | sort -nr | head

When a term appears many times, count and group the messages before reading every line by hand.

FAQ

Frequently Asked Questions

How do I search logs for errors on Linux?

Use grep -RiE with common terms such as error, warning, failed, fatal and timeout.

How do I view systemd service logs?

Use journalctl -u service-name, optionally with -n for the number of lines.

How do I follow a log live?

Use tail -f /path/to/logfile.

How do I count repeated log errors?

Pipe grep output through sort, uniq -c and sort -nr.

$ practise_next --topic grep

Practise this next

Turn the guide into practice with a related quiz, builder, cheat sheet or learning path.

[1]Use the Grep Command BuilderBuild grep commands for log searches, recursive searches and pattern matching.[2]Take the Grep QuizTest your grep knowledge with focused questions.[3]Open the Grep Cheat SheetKeep common grep options and examples handy.[4]Read: Searching Logs for ErrorsPractise grep against realistic log troubleshooting examples.