# Tail System Logs

You are helping the user monitor system logs in real-time for debugging and system monitoring.

## Task

1. **Follow all system logs:**
   ```bash
   # Follow journal in real-time
   journalctl -f

   # Follow with timestamp
   journalctl -f -o short-precise

   # Follow only errors and above
   journalctl -f -p err
   ```

2. **Follow specific services:**
   ```bash
   # Specific service
   journalctl -u SERVICE_NAME -f

   # Multiple services
   journalctl -u NetworkManager -u systemd-resolved -f

   # Example: Common services to monitor
   journalctl -u sddm -u plasmashell -f  # KDE
   journalctl -u gdm -u gnome-shell -f   # GNOME
   ```

3. **Follow kernel messages:**
   ```bash
   # Kernel ring buffer
   dmesg -w

   # Kernel logs from journal
   journalctl -k -f

   # Specific kernel subsystem (e.g., USB)
   dmesg -w | grep -i usb
   ```

4. **Follow authentication logs:**
   ```bash
   # Auth attempts
   journalctl -u ssh -u sudo -f

   # Login attempts
   journalctl _SYSTEMD_UNIT=systemd-logind.service -f

   # Traditional auth log (if available)
   tail -f /var/log/auth.log
   ```

5. **Follow application logs:**
   ```bash
   # X11 session
   tail -f ~/.xsession-errors

   # Wayland session
   journalctl --user -f

   # Specific application
   journalctl -f | grep -i "application-name"
   ```

6. **Follow with filtering:**
   ```bash
   # Only show errors/warnings
   journalctl -f -p warning

   # Filter by identifier
   journalctl -f -t identifier-name

   # Specific priority range
   journalctl -f -p err..warning

   # Grep for specific terms
   journalctl -f | grep -i "error\|fail\|critical"
   ```

7. **Multi-pane log viewing:**
   ```bash
   # Using tmux to watch multiple logs
   tmux new-session -s logs \; \
     split-window -v \; \
     split-window -h \; \
     select-pane -t 0 \; \
     send-keys 'journalctl -f -p err' C-m \; \
     select-pane -t 1 \; \
     send-keys 'dmesg -w' C-m \; \
     select-pane -t 2 \; \
     send-keys 'journalctl -u NetworkManager -f' C-m
   ```

8. **Follow with context:**
   ```bash
   # Last 100 lines plus new
   journalctl -n 100 -f

   # Since specific time
   journalctl --since "10 minutes ago" -f

   # This boot plus new
   journalctl -b -f
   ```

9. **Custom log monitoring script:**
   ```bash
   cat > /tmp/log-monitor.sh << 'EOF'
   #!/bin/bash

   # Colors
   RED='\033[0;31m'
   YELLOW='\033[1;33m'
   NC='\033[0m' # No Color

   echo "Monitoring system logs for critical events..."
   echo "Press Ctrl+C to stop"
   echo ""

   journalctl -f -o short-precise -p warning | while read line; do
     if echo "$line" | grep -qi "error\|fail\|critical"; then
       echo -e "${RED}$line${NC}"
     elif echo "$line" | grep -qi "warning\|warn"; then
       echo -e "${YELLOW}$line${NC}"
     else
       echo "$line"
     fi
   done
   EOF

   chmod +x /tmp/log-monitor.sh
   /tmp/log-monitor.sh
   ```

10. **Interactive log browser:**
    ```bash
    # Use journalctl with cursor navigation
    journalctl --no-pager -n 1000 | less +G

    # Or use GUI log viewer
    ksystemlog  # KDE
    gnome-logs  # GNOME
    ```

## Common Monitoring Scenarios

**Debugging boot issues:**
```bash
# Watch boot process (from another TTY or SSH)
journalctl -b -f
```

**Network troubleshooting:**
```bash
journalctl -u NetworkManager -u systemd-resolved -u wpa_supplicant -f
```

**Display/GPU issues:**
```bash
journalctl -f | grep -iE "drm|amdgpu|nvidia|wayland|xorg"
```

**USB device debugging:**
```bash
dmesg -w | grep -i usb
```

**Bluetooth issues:**
```bash
journalctl -u bluetooth -f
```

**Audio problems:**
```bash
journalctl --user -u pipewire -u wireplumber -f
```

**Package installation monitoring:**
```bash
journalctl -u apt-daily -u apt-daily-upgrade -f
```

## Log Rotation & Management

```bash
# Check journal size
journalctl --disk-usage

# Vacuum old logs
sudo journalctl --vacuum-time=7d
sudo journalctl --vacuum-size=500M

# View available boots
journalctl --list-boots

# Follow logs from previous boot
journalctl -b -1 -f
```

## Alternative Log Files

Some systems still use traditional log files:
```bash
# System log
tail -f /var/log/syslog

# Kernel log
tail -f /var/log/kern.log

# Authentication
tail -f /var/log/auth.log

# Package management
tail -f /var/log/dpkg.log
tail -f /var/log/apt/history.log

# X11
tail -f /var/log/Xorg.0.log
```

## Troubleshooting

**Journal not persistent:**
- Check `/var/log/journal/` exists
- Run: `sudo mkdir -p /var/log/journal && sudo systemctl restart systemd-journald`

**Too much log output:**
- Increase filter priority: `-p err` instead of `-p info`
- Filter by unit: `-u specific-service`
- Use grep to focus on specific issues

**Logs filling disk:**
- Set limit in `/etc/systemd/journald.conf`:
  ```
  SystemMaxUse=500M
  ```
- Restart journald: `sudo systemctl restart systemd-journald`

## Notes

- Use `-o verbose` for maximum detail
- Use `-o json` for machine-readable output
- Use `-o cat` for just the message without metadata
- Ctrl+C to stop following logs
- Consider using `multitail` for advanced multi-log viewing
- Set `--lines=` or `-n` to control how much history to show initially