Unix - Interview Troubleshooting Questions

(Logging, logrotate, journalctl)

1. Disk is full due to logs. How will you troubleshoot?

Answer:

  1. Check disk usage:

df -h

  1. Find large logs:

du -sh /var/log/*

  1. Identify log type (syslog or journal)

  2. Rotate logs:

logrotate -f /etc/logrotate.conf

  1. Vacuum journal logs:

journalctl --vacuum-size=200M

2. Logs are not rotating automatically. What could be the reason?

Possible Causes:

  • logrotate cron job not running

  • Syntax error in config

  • Incorrect log file path

  • Permission issues

Check:

logrotate -d /etc/logrotate.conf

3. After log rotation, the application stops logging. Why?

Reason:

  • Application still writing to old file descriptor

Fix:
Add postrotate script:

postrotate
    systemctl reload rsyslog
endscript

4. journalctl logs disappear after reboot. Why?

Reason:

  • Journal stored in volatile memory

Solution:

mkdir -p /var/log/journal
systemctl restart systemd-journald

5. How do you limit journalctl disk usage?

Answer:
Temporary:

journalctl --vacuum-size=300M

Permanent:

SystemMaxUse=500M

(/etc/systemd/journald.conf)

6. Logs are visible in journalctl but not in /var/log. Why?

Reason:

  • journald not forwarding logs to syslog

Fix:

ForwardToSyslog=yes

Restart:

systemctl restart systemd-journald rsyslog

7. How do you check logs for a failed service?

Answer:

journalctl -u servicename

Example:

journalctl -u ssh

8. How do you debug logrotate configuration before applying it?

Answer:

logrotate -d /etc/logrotate.conf

9. What is the difference between logrotate and journalctl rotation?

Answer:

  • logrotate manages text log files

  • journalctl manages binary journal logs

  • logrotate is rule-based

  • journalctl is space-based

10. How do you find logs between specific times?

Answer:

journalctl --since "2025-12-16 09:00" --until "2025-12-16 10:00"

11. A service is running but not generating logs. How will you debug?

Answer:

  1. Check service status

systemctl status service

  1. Check journal logs

journalctl -u service

  1. Verify log configuration

  2. Check permissions on log directory

12. How do you find which process is writing to a log file?

Answer:

lsof /var/log/syslog

13. How do you prevent logs from filling disk permanently?

Answer:

  • Configure logrotate

  • Enable compression

  • Limit journal size

  • Monitor disk usage

14. What happens if logrotate fails?

Answer:

  • Logs keep growing

  • Disk may become full

  • Services may crash

  • System may become unstable

15. Explain a real-time log monitoring command.

Answer:

journalctl -f

or

tail -f /var/log/syslog

16. What log files are important for security incidents?

Answer:

  • /var/log/auth.log

  • /var/log/secure

  • audit logs

  • journal logs

17. Can journalctl logs be deleted manually?

Answer:
No. They should be removed using:

journalctl --vacuum-time=7d

18. How do you troubleshoot high CPU caused by logging?

Answer:

  • Identify noisy services

  • Reduce log level

  • Adjust rotation frequency

  • Enable compression

19. What is your first step when logs are missing?

Answer:

  • Check journald status

  • Verify persistent storage

  • Check permissions