Linux Basics

Editing Files & Reading Logs

This is where Linux skills start to matter for real work. If something breaks in production, you are almost always going to logs first. That is the single most common troubleshooting workflow in IT: something breaks, you check the logs, you find the error, you investigate. The commands on this page are what make that workflow possible.

After this page, you should be able to:

  • Edit files in the terminal using nano
  • Dump file contents quickly with cat
  • Navigate and search through large files with less
  • View the last lines of a file with tail
  • Monitor a log file in real time with tail -f
  • Use a dual-terminal workflow to watch live logs while working

Why Logs Are Your First Stop

When something goes wrong on a server — a web application returns errors, a service fails to start, a user cannot authenticate — the first thing you do is check the logs. This is not optional. This is the standard troubleshooting workflow across every IT discipline.

The pattern is always the same:

  1. Something breaks or behaves unexpectedly
  2. You SSH into the server
  3. You read the relevant log file to find error messages
  4. The error message tells you what went wrong (or at least where to look next)
  5. You investigate and fix the root cause

This applies to web servers, databases, authentication systems, networking services, cron jobs, application deployments — everything. If you cannot read and navigate log files efficiently, you cannot troubleshoot effectively. It is that simple.

Common log locations on Linux include /var/log/syslog, /var/log/auth.log, /var/log/nginx/error.log, and application-specific log files. You will encounter all of these on the job.

Creating a Realistic Log File

On a fresh VM, there is nothing interesting in the logs yet. So we will create a realistic log file to work with. This simulates what you would actually see on a server running an application.

Open a new file with nano (we will cover nano in detail in the next section):

nano app.log

Paste the following content into the editor. These are realistic log entries with timestamps, log levels (INFO, WARNING, ERROR), and messages you would actually see in a production application:

2026-04-12 08:00:01 [INFO] Application started successfully on port 8080
2026-04-12 08:00:02 [INFO] Connected to database server db-prod-01
2026-04-12 08:00:02 [INFO] Loading configuration from /etc/myapp/config.yml
2026-04-12 08:05:14 [INFO] User [email protected] logged in from 10.0.1.45
2026-04-12 08:12:33 [WARNING] Slow query detected: SELECT * FROM orders took 3200ms
2026-04-12 08:15:01 [INFO] Scheduled backup job started
2026-04-12 08:15:47 [INFO] Backup completed: 2.4GB written to /mnt/backup/daily
2026-04-12 08:22:09 [WARNING] Memory usage at 78% - approaching threshold
2026-04-12 08:30:00 [ERROR] Failed to connect to cache server redis-01: Connection refused
2026-04-12 08:30:01 [ERROR] Retrying cache connection (attempt 2 of 5)
2026-04-12 08:30:03 [INFO] Cache connection restored to redis-01
2026-04-12 08:45:22 [WARNING] SSL certificate for api.company.com expires in 14 days
2026-04-12 09:01:15 [ERROR] Disk space on /var/log at 92% - critical threshold exceeded

Save the file with Ctrl+O (then press Enter to confirm the filename), and exit with Ctrl+X. You now have a realistic log file to practice with.

nano — The Simple Text Editor

nano is a straightforward terminal text editor. Unlike vim, there are no modes to worry about. You open the file, you type, you save, you exit. That is it.

nano app.log

This opens app.log in the editor. You can immediately start typing or use the arrow keys to navigate. The bottom of the screen shows keyboard shortcuts (the ^ symbol means the Ctrl key).

The shortcuts you will use most often:

  • Ctrl+O — Save the file (“Write Out”). Press Enter to confirm the filename.
  • Ctrl+X — Exit nano. If you have unsaved changes, it will ask if you want to save.
  • Ctrl+W — Search for text in the file. Type your search term and press Enter.
  • Ctrl+K — Cut (delete) the current line. Useful for quickly removing lines.
  • Ctrl+U — Paste a previously cut line.
  • Ctrl+G — Open the help screen with all available shortcuts.

nano vs. vim:

You will hear people debate nano vs. vim endlessly. Here is the practical answer: nano is simpler and perfectly fine for quick edits on servers — editing a config file, adding a line, fixing a typo. vim is more powerful and efficient for heavy editing, but it has a steep learning curve with its modal editing system. For this lab and for most day-to-day server administration, nano is all you need. You can always learn vim later if you want to.

cat — Quick File Dump

cat (short for “concatenate”) dumps the entire contents of a file to the screen. It is the fastest way to see what is in a small file.

cat app.log

This prints every line of app.log directly to your terminal. For the 13-line log file we created, this works great — you can see everything at once.

If you want line numbers (helpful for referencing specific lines), use the -n flag:

cat -n app.log

This adds line numbers to the left of each line, making it easy to say “the error is on line 9” when communicating with teammates.

When NOT to use cat:

Do not use cat on large files. A production log file can easily be hundreds of thousands of lines. Running cat on a 500MB log file will flood your terminal with text, potentially freeze your SSH session, and tell you nothing useful. For anything larger than a screenful of text, use less or tail instead.

less — The Log Explorer

less opens a file in a scrollable, searchable viewer. Unlike cat, it does not dump everything to the screen at once. It loads the file and lets you navigate through it at your own pace.

less app.log

Once inside less, you can navigate with these controls:

  • Arrow keys or j/k — Scroll up and down one line at a time
  • Page Up / Page Down or Space — Scroll by full screen
  • g — Jump to the top of the file
  • G (Shift+g) — Jump to the bottom of the file
  • /pattern — Search forward for “pattern.” Type /ERROR and press Enter to find all error lines.
  • n — Jump to the next search match
  • N (Shift+n) — Jump to the previous search match
  • q — Quit and return to the terminal

Try it: open app.log with less, then type /ERROR and press Enter. You will jump directly to the first error line. Press n to cycle through each error. This is dramatically faster than scrolling through thousands of lines by hand.

Why less is better than cat for real logs: A production syslog file might have 50,000+ lines. cat would dump all of them to your screen. less lets you jump straight to the bottom (where the newest entries are), search for specific error messages, and navigate without losing your place. It is the difference between reading a book and having the entire book printed on a single scroll of paper.

tail — Watching Logs in Real Time

tail shows the last lines of a file. By default, it displays the last 10 lines:

tail app.log

You can specify how many lines you want with -n:

tail -n 20 app.log

This shows the last 20 lines. Useful when you want to see a bit more context around the most recent entries.

But the real power of tail is the -f flag:

tail -f app.log

The -f stands for “follow.” Instead of printing the last lines and exiting, tail -f keeps the file open and prints new lines as they are written in real time. It sits there, watching the file, and the instant any process appends a new line to it, that line appears in your terminal.

This is how you monitor live services. When you are deploying a new version of an application, you run tail -f on its log file so you can immediately see if something goes wrong. When a user reports an error, you run tail -f and ask them to reproduce the issue so you can watch the error appear live. When a cron job runs at 3 AM and you are watching to make sure it succeeds, tail -f is what you use.

To stop following, press Ctrl+C. This does not delete or modify the file — it just stops the tail process.

This is the command. If someone asks you “how do you monitor logs on Linux,” the answer is tail -f. It is simple, it is universal, and it is the first thing experienced engineers reach for when troubleshooting live issues. You will use this constantly.

Try It — Live Log Monitoring

This exercise teaches you the dual-terminal workflow that IT professionals use every day. You will have one terminal watching a log file in real time while you use another terminal to simulate new log entries being written.

Setup: Open two terminal sessions

You need two separate terminal windows or tabs, both connected to the same server. If you are using SSH, just open a second terminal window and SSH in again. Both sessions should be in the same directory where your app.log file lives.

Terminal 1 — Start watching the log:

tail -f app.log

You should see the last 10 lines of app.log displayed. The cursor will sit there, waiting. Do not type anything else in this terminal — just leave it running.

Terminal 2 — Simulate new log entries:

In your second terminal, run these commands one at a time. After each one, look at Terminal 1 to see it appear in real time:

echo "2026-04-12 09:15:00 [INFO] Health check passed - all services responding" >> app.log

echo "2026-04-12 09:15:30 [WARNING] Request queue depth at 85% capacity" >> app.log

echo "2026-04-12 09:16:01 [ERROR] Timeout connecting to payment gateway api.payments.com" >> app.log

echo "2026-04-12 09:16:02 [ERROR] Transaction ID 8842 failed: upstream timeout after 30s" >> app.log

echo "2026-04-12 09:16:15 [INFO] Payment gateway connection restored" >> app.log

echo "2026-04-12 09:20:00 [INFO] Daily report generated: 1,247 transactions processed" >> app.log

What you should see: Every time you run an echo command in Terminal 2, the new line immediately appears in Terminal 1. You are watching the log file update live, just like you would when monitoring a real service.

When you are done, press Ctrl+C in Terminal 1 to stop the tail -f process.

This dual-terminal workflow — tailing logs in one while working in another — is something you will do constantly on the job. During deployments, you tail the application log in one terminal while running deployment commands in another. During troubleshooting, you tail the error log while reproducing the issue. This is not a training exercise — this is the actual workflow.

Bonus: Quick Command Combinations

Now that you know these commands individually, here are some combinations you will see and use frequently:

# See only error lines (preview of grep, which we cover next)
cat app.log | grep ERROR

# Count how many warnings are in the log
cat app.log | grep WARNING | wc -l

# See the last 5 lines of a system log
tail -n 5 /var/log/syslog

# Follow multiple log files at once
tail -f /var/log/syslog /var/log/auth.log

Do not worry about fully understanding grep and pipes yet — those are covered in detail on the next page. The point here is to see that these commands work together. That composability is one of the most powerful aspects of the Linux command line.

Checkpoint

Before moving on, make sure you can confidently do all of the following:

  • Open, edit, save, and exit a file using nano
  • Use cat to quickly view the contents of a small file
  • Explain when to use cat vs. less vs. tail
  • Navigate a file in less — scroll, jump to top and bottom, search with /, and quit with q
  • Use tail -f to follow a log file in real time
  • Set up the dual-terminal workflow: tail -f in one terminal, working in another
  • Explain why checking logs is the first step in troubleshooting

Reading and navigating log files is the most important practical skill on this entire page. Everything else in IT troubleshooting builds on your ability to find the right log, read it efficiently, and identify what went wrong. Next, you will learn how to search and filter output with grep and pipes, which takes your log-reading ability from “I can look at it” to “I can find exactly what I need in seconds.”