Vijay reads logs without Event Viewer
grep, tail, journalctl — log analysis that is faster than Event Viewer
Week 5. Vijay needed to investigate an error from yesterday at 2pm. On Windows: open Event Viewer, navigate to the right log, filter by date and time, filter by error level. Sometimes 5 minutes just to get to the right place.
On Linux he did it in 20 seconds:
journalctl -u myapp --since "yesterday 14:00" --until "yesterday 15:00" -p errWHERE ARE LOGS ON LINUX?
Windows Event Log Linux equivalent
System /var/log/syslog or journalctl
Application /var/log/appname/ or journalctl -u servicename
Security /var/log/auth.log
Setup /var/log/dpkg.logls /var/log/ # see all log categories
ls /var/log/nginx/ # nginx access.log and error.log
ls /opt/myapp/logs/ # application-specific logsREADING LOGS - Windows Notepad vs Linux tail and grep
cat /var/log/nginx/error.log # print entire file
tail /var/log/nginx/error.log # last 10 lines (like CMTrace latest)
tail -n 100 /var/log/nginx/error.log # last 100 lines
tail -f /var/log/nginx/error.log # LIVE view (like CMTrace tail mode)SEARCHING LOGS - findstr becomes grep
Windows: findstr "error" app.log
Linux: grep "error" app.logWindows: findstr /i "error" app.log (case insensitive)
Linux: grep -i "error" app.logWindows: findstr /n "error" app.log (show line numbers)
Linux: grep -n "error" app.logWindows: findstr /s "error" *.log (search all log files)
Linux: grep -r "error" /var/log/myapp/The most important grep:
grep -C 5 "ERROR" app.log # show 5 lines AROUND each match
# see what happened before the error
# Windows has no easy equivalentFILTERING BY TIME - Event Viewer time filter vs grep
journalctl --since "2026-03-16 14:00" --until "2026-03-16 15:00"
journalctl --since "1 hour ago"
journalctl --since todayFor application text logs:
grep "2026-03-16 14:" app.log # filter by hour
awk '/2026-03-16 14:00/,/2026-03-16 15:00/' app.log # time rangeFILTERING BY SEVERITY - Event Viewer level filter
journalctl -p err # errors and above
journalctl -p warning # warnings and above
grep "ERROR" app.log # filter app log for errors
grep -v "INFO" app.log # exclude INFO, show everything elseCOMPRESSED OLD LOGS - Windows Archive vs Linux .gz files
ls /var/log/nginx/
# access.log access.log.1 access.log.2.gz access.log.3.gzzcat access.log.2.gz # read compressed log
zgrep "error" access.log.2.gz # grep inside compressed logCOMBINING COMMANDS - where Linux beats Event Viewer
# Count errors by type, most frequent first:
grep "ERROR" app.log | awk '{print $NF}' | sort | uniq -c | sort -rn | head -10# Find peak error hour:
grep "ERROR" app.log | cut -d: -f1 | sort | uniq -c# Live monitoring for a specific error:
tail -f app.log | grep "OutOfMemoryError"# Live monitoring with context around the error:
tail -f app.log | grep -A 3 "ERROR"Vijay's conclusion by end of week 5: Event Viewer is easier for clicking around. grep is faster when you know what you are looking for. In production support, you almost always know what you are looking for.
journalctl replaces Event Viewer — filter by service, time, and severity all in one command
tail -f is CMTrace tail mode — live log viewing that updates as new lines appear
grep -C 5 shows context around matches — there is no easy Windows equivalent
zgrep searches inside compressed .gz log files — old logs need not be uncompressed first
grep pipelines (grep | awk | sort | uniq -c) produce log analysis reports in seconds