mkdocs-pages/docs/Troubleshooting/checkinglogs.md

# Checking log files

The best way to see what a application is doing is to see what is in the logs for the particular application, by defaul logs are in the `/var/log` directory but they can also be in others as well

## Common log locations

| Service | Log location | What is logged |
|---------|--------------|----------------|
| Apache | /usr/local/apache/logs/error_log | Errors reported by Apache/PHP |
| Apache | /usr/local/apache/logs/stderr.log | Errors that are returned from STDERR |
| Exim | /var/log/mainlog | All connections and transactions for emails on the server |
| Dovecot | /var/log/maillog | All connections for incoming mail connections |
| lfd | /var/log/lfd.log | All firewall blocksk will be reported here along with the reason |
| ModSec | /usr/local/apache/modsec_audit.log | Any hits for the ModSec system will be logged here with the IP the rule and the data that triggered the rule |

## Reading logs

You can read the log files using command line applications like `cat` and `less`, cat will just print the file to the terminal where less will open the file up in a [pager](/Commands/pagers), this allows for things like searching without closing the logs

You can open a log with something like `less /var/log/mainlog` this will allow you to read over the log and search for the information that you wanted

You can also use `grep` to filter the logs for the information that you are looking for see [Grep Examples](/Examples/grep) for some more information on doing this

If you wanted to watch the logs live as you are testing something you can use the `tail -f` command to watch the log in real time

## Reading Archived logs

The Archived logs will usually be in a compressed gzip format with the date code and the .gz extenstion.

You can read these logs by either uncompressing them using `gzip -d` or you can use some handy versions of commands like `cat` and `grep` that are built to work with compression, these are `zcat` and `zgrep``