# Search Logs with grep, find, and tail

Learn how to search project logs by scope, time, and symptom so debugging starts from evidence.

## Outcome
Find the relevant log lines for a recent failure without reading the whole log directory.

## Safe first step
tail -80 logfile reads a bounded slice before deeper searching.

## Ladder steps
### 1. Bound the read
Start with a small recent window.

Check: tail shows recent lines without flooding the terminal.

### 2. Filter by symptom
Use grep for exact errors, service names, or status codes.

Check: The match should answer a specific question.

### 3. Find candidate files
Use find to locate logs by name or modified time.

Check: The result narrows which logs matter.

### 4. Preserve context
Use context flags when one line alone is not enough.

Check: grep -C shows surrounding lines.

## Examples
### Read recent Nginx errors
```sh
tail -80 /var/log/nginx/error.log
```
Expected signal: Recent timestamped error lines

### Search for a symptom
```sh
grep -RIn "permission denied" /var/log 2>/dev/null | head
```
Expected signal: File names and line numbers with matches

Caution: Broad searches can be expensive on large log trees.

### Find recently changed log files
```sh
find /var/log -type f -mtime -1 | head
```
Expected signal: Log file paths modified recently

## Common traps
- Searching the whole filesystem first.
- Ignoring timestamps.
- Copying private tokens or credentials from logs into public chats.

## Practice task
Given a failing service name, list three bounded commands you would run before opening a huge log.

## Next steps
- Learn systemd service logs.
- Learn Nginx error log checks.
- Learn disk usage and journal size.

## Related
- [Journalctl service logs command](https://linuxoneliners.com/commands/journalctl-service-logs/)
