LAB-FS-03 - Inside /var - The Living Data

FS File System Mastery

Inside /var - The Living Data

Inspect /var safely so you can find changing data such as logs and understand how to read it without making the situation worse.

45 min INTERMEDIATE LINUX Field-verified

Prerequisites

Lab LAB-FS-01 - The Linux File System Tree

Success criteria

Find likely log locations under /var.
Use tail, less, or journalctl to inspect recent activity safely.

Safety notes

Do not edit log files directly. Read them with tail, less, or journalctl.

Part A: The Field Guide

/var holds data that changes while the system runs. For most learners, the most important part is /var/log.

When a service fails, your job is usually not to guess. Your job is to inspect the latest evidence.

Safe Reading Rule

Use tail, less, or journalctl to inspect logs. Avoid opening active logs in an editor while you are still learning.

What to expect under /var

/var/log for system and application logs
/var/lib for persistent application data
/var/spool for queued work waiting to be processed

Part B: The Drill Deck

Terminal required: you may need sudo for some logs depending on your distribution.

Exercise G1: Find the log area

Run cd /var/log
Run ls | head
Notice the variety of logs and service-specific folders

Exercise G2: Read only the recent lines

Run one of these, depending on your system: sudo tail -n 20 /var/log/syslog sudo tail -n 20 /var/log/messages
Look at the latest timestamps
Explain what tail is helping you avoid

Exercise G3: Page through a larger log

Run one of these: sudo less /var/log/syslog sudo less /var/log/messages
Search inside the log with /error
Press n to move to the next match and q to quit

Exercise S1: Follow live updates

Run one of these commands and leave it open: sudo tail -f /var/log/syslog sudo tail -f /var/log/messages
In another terminal, run logger "practice message"
Watch the new line appear
Stop the follow session with Ctrl+C

Exercise S2: Try journalctl

Run journalctl -n 20
Then run journalctl -f
Compare the experience with tail -f

Mission M1: Choose the right reading tool

For each situation below, name the tool you would use first and why:

You want only the most recent lines.
You want to search through a long log calmly.
You are on a system where journalctl is the main source of service logs.

If you can choose the reader based on the task, you are learning the part that actually matters.

Practice flow

Run the exercise carefully, then repeat the key steps once more in the same session without leaning on the instructions.

Open lesson Open Arena Back to Labs

Reflection

Which tool felt most useful for reading changing data: tail, less, or journalctl?
What would you check first in /var after a service error?

If not yet, repeat the lab once more without leaning on the instructions.

Move on when

Read the end of a log and explain what happened most recently.
Choose an appropriate reader for a large log without using an editor.

A lab counts when you can repeat it cleanly with much less help than the first time.

Practice review

After you finish, repeat this lab tomorrow with less reliance on the instructions.

Use spaced practice around day 1, day 2, day 5.
Try to predict the steps before you scroll.
Run the key commands or actions from memory first.
Use the lesson or Library only for the parts that still fail.

Lab context

Best for

Need structureSerious hands-on operatorStarting from zero

Pathways

Career operator pathFoundations first

Practice fit

Beginner-safe Guided practice

This lab is designed to be attempted safely by newer learners if they stay inside the described sandbox or practice folder.

Expect tighter prompts and a more protected workflow while the skill is still forming.

Revisit the lesson

Module M07 - File Operations: View and Read Module M09 - File Operations: Copy, Move, Delete Module M10 - Search and Find Module M11 - File System Lab: Mini Scenario

Topics

varlogstaillessjournalctl

Reference support

Library var Library logs Library tail Library less

On this page