ss is a command-line utility for displaying socket statistics on Linux. It is the modern replacement for the deprecated netstat command and is faster, more detailed, and available by default on all current Linux distributions.

This guide explains how to use ss to list open sockets, filter results by protocol and port, and identify which process is using a given connection.

ss Syntax #

ss [OPTIONS] [FILTER]

When invoked without options, ss displays all non-listening sockets that have an established connection.

List All Sockets #

To list all sockets regardless of state, use the -a option:

ss -a

The output includes columns for the socket type (Netid), state, receive and send queue sizes, local address and port, and peer address and port:

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.10:ssh 192.168.1.5:52710
tcp LISTEN 0 128 0.0.0.0:http 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:bootpc 0.0.0.0:*

Filter by Socket Type #

TCP Sockets (-t) #

To list only TCP sockets:

ss -t

To include listening TCP sockets as well, combine with -a:

ss -ta

UDP Sockets (-u) #

To list only UDP sockets:

ss -ua

Unix Domain Sockets (-x) #

To list Unix domain sockets used for inter-process communication:

ss -xa

Show Listening Sockets #

The -l option shows only sockets that are in the listening state:

ss -tl

The most commonly used combination is -tulpn, which shows all TCP and UDP listening sockets with process names and numeric addresses:

ss -tulpn

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1234,fd=3))
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=5678,fd=6))
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=910,fd=6))

Each option in the combination does the following:

• -t — show TCP sockets
• -u — show UDP sockets
• -l — show listening sockets only
• -p — show the process name and PID
• -n — show numeric addresses and ports instead of resolving hostnames and service names

Show Process Information #

The -p option adds the process name and PID to the output. This requires root privileges to see processes owned by other users:

sudo ss -tp

State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 192.168.1.10:ssh 192.168.1.5:52710 users:(("sshd",pid=2341,fd=5))

Use Numeric Output #

By default, ss resolves port numbers to service names (for example, port 22 becomes ssh). The -n option disables this and shows raw port numbers:

ss -tn

This is useful when you need to match exact port numbers in scripts or when name resolution is slow.

Filter by Port #

To find which process is using a specific port, filter by destination or source port. For example, to list all sockets using port 80:

ss -tulpn | grep :80

You can also use the built-in filter syntax:

ss -tnp 'dport = :443'

To filter by source port:

ss -tnp 'sport = :22'

Filter by Connection State #

ss supports filtering by connection state. Common states include ESTABLISHED, LISTEN, TIME-WAIT, and CLOSE-WAIT.

To show only established TCP connections:

ss -tn state ESTABLISHED

To show only sockets in the TIME-WAIT state:

ss -tn state TIME-WAIT

Filter by Address #

To show sockets connected to or from a specific IP address:

ss -tn dst 192.168.1.5

To filter by source address:

ss -tn src 192.168.1.10

You can combine address and port filters:

ss -tnp dst 192.168.1.5 dport = :22

Show IPv4 or IPv6 Only #

To restrict output to IPv4 sockets, use -4:

ss -tln -4

To show only IPv6 sockets, use -6:

ss -tln -6

Show Summary Statistics #

The -s option prints a summary of socket counts by type and state without listing individual sockets:

ss -s

Total: 312
TCP: 14 (estab 4, closed 3, orphaned 0, timewait 3)
Transport Total IP IPv6
RAW 1 0 1
UDP 6 4 2
TCP 11 7 4
INET 18 11 7
FRAG 0 0 0

This is useful for a quick overview of the network state on a busy server.

Practical Examples #

The following examples cover common diagnostics you will use together with tools like ip , ifconfig , and check listening ports .

Find which process is listening on port 8080:

sudo ss -tlpn sport = :8080

List all established SSH connections to your server:

ss -tn state ESTABLISHED '( dport = :22 or sport = :22 )'

Show all connections to a remote host:

ss -tn dst 203.0.113.10

Count established TCP connections:

ss -tn state ESTABLISHED | tail -n +2 | wc -l

Quick Reference #

Troubleshooting #

ss -p does not show process names
Process information for sockets owned by other users requires elevated privileges. Use sudo ss -tp or sudo ss -tulpn.

Filters return no results
Use quoted filter expressions such as ss -tn 'dport = :443', and verify whether you should filter by sport or dport.

Service names hide numeric ports
If output shows service names (ssh, http) instead of port numbers, add -n to keep numeric ports and avoid lookup ambiguity.

Output is too broad on busy servers
Start with protocol and state filters (-t, -u, state ESTABLISHED) and then add address or port filters to narrow results.

You need command-level context, not only sockets
Use ss with ps or pgrep when you need additional process detail.

FAQ #

What is the difference between ss and netstat?
ss is the modern replacement for netstat. It reads directly from kernel socket structures, making it significantly faster on systems with many connections. netstat is part of the net-tools package, which is deprecated and not installed by default on most current distributions.

Why do I need sudo with ss -p?
Without root privileges, ss can only show process information for sockets owned by your own user. To see process names and PIDs for all sockets, run ss with sudo.

What does Recv-Q and Send-Q mean in the output?
Recv-Q is the number of bytes received but not yet read by the application. Send-Q is the number of bytes sent but not yet acknowledged by the remote host. Non-zero values on a listening socket or consistently high values can indicate a performance issue.

How do I find which process is using a specific port?
Run sudo ss -tulpn | grep :<port>. The -p flag adds process information and -n keeps port numbers numeric so the grep match is reliable.

Conclusion #

ss is the standard tool for inspecting socket connections on modern Linux systems. The -tulpn combination covers most day-to-day needs, while the state and address filters make it easy to narrow results on busy servers. For related network diagnostics, see the ip and ifconfig command guides, or check listening ports for a broader overview.

uniq is a command-line utility that filters adjacent duplicate lines from sorted input and writes the result to standard output. It is most commonly used together with sort to remove or count duplicates across an entire file.

This guide explains how to use the uniq command with practical examples.

uniq Command Syntax #

The syntax for the uniq command is as follows:

uniq [OPTIONS] [INPUT [OUTPUT]]

If no input file is specified, uniq reads from standard input. The optional OUTPUT argument redirects the result to a file instead of standard output.

Removing Duplicate Lines #

By default, uniq removes adjacent duplicate lines, keeping one copy of each. Because it only compares consecutive lines, the input must be sorted first — otherwise only back-to-back duplicates are removed.

Given a file with repeated entries:

apple
apple
banana
cherry
banana
cherry
cherry

Running uniq on the unsorted file removes only the back-to-back duplicates (apple apple and cherry cherry), but leaves the second banana and the second cherry intact:

uniq fruits.txt

apple
banana
cherry
banana
cherry

To remove all duplicates regardless of position, sort the file first:

sort fruits.txt | uniq

apple
banana
cherry

Counting Occurrences #

To prefix each output line with the number of times it appears, use the -c (--count) option:

sort fruits.txt | uniq -c

 2 apple
2 banana
3 cherry

The count and the line are separated by whitespace. This is especially useful for finding the most frequent lines in a file. To rank them from most to least common, pipe the output back to sort:

sort fruits.txt | uniq -c | sort -rn

 3 cherry
2 banana
2 apple

Showing Only Duplicate Lines #

To print only lines that appear more than once (one copy per group), use the -d (--repeated) option:

sort fruits.txt | uniq -d

apple
banana
cherry

To print every instance of a repeated line rather than just one, use -D:

sort fruits.txt | uniq -D

apple
apple
banana
banana
cherry
cherry
cherry

Showing Only Unique Lines #

To print only lines that appear exactly once (no duplicates), use the -u (--unique) option:

sort fruits.txt | uniq -u

If every line appears more than once, the output is empty. In the example above, all three fruits are duplicated, so nothing is printed.

Ignoring Case #

By default, uniq comparisons are case-sensitive, so Apple and apple are treated as different lines. To compare lines case-insensitively, use the -i (--ignore-case) option:

sort -f file.txt | uniq -i

Skipping Fields and Characters #

uniq can be told to skip leading fields or characters before comparing lines.

To skip the first N whitespace-separated fields, use -f N (--skip-fields=N). This is useful when lines share a common prefix (such as a timestamp) that should not be part of the comparison:

2026-01-01 ERROR disk full
2026-01-02 ERROR disk full
2026-01-03 WARNING low memory

uniq -f 1 log.txt

2026-01-01 ERROR disk full
2026-01-03 WARNING low memory

The first field (the date) is skipped, so the two ERROR disk full lines are treated as duplicates.

To skip the first N characters instead of fields, use -s N (--skip-chars=N). To limit the comparison to the first N characters per line, use -w N (--check-chars=N).

Combining uniq with Other Commands #

uniq works well in pipelines with grep , cut , sort , and wc .

To count the number of unique lines in a file:

sort file.txt | uniq | wc -l

To find the top 10 most common words in a text file:

grep -Eo '[[:alnum:]]+' file.txt | sort | uniq -c | sort -rn | head -10

To list unique IP addresses from an access log:

awk '{print $1}' /var/log/nginx/access.log | sort | uniq

To find lines that appear in one file but not another (using -u against merged sorted files):

sort file1.txt file2.txt | uniq -u

Quick Reference #

Troubleshooting #

Duplicates are not removed uniq only removes adjacent duplicate lines. If the file is not sorted, non-consecutive duplicates are not detected. Always sort the input first: sort file.txt | uniq.

-c output has inconsistent spacing The count is right-aligned and padded with spaces. If you need to process the output further, use awk to normalize spacing while preserving the full line text: sort file.txt | uniq -c | awk '{count=$1; $1=\"\"; sub(/^ +/, \"\"); print count, $0}'.

Case variants are treated as different lines Use the -i option to compare case-insensitively. Also sort with -f so that case-insensitive duplicates are adjacent before uniq processes them: sort -f file.txt | uniq -i.

FAQ #

What is the difference between sort -u and sort | uniq? Both produce the same output for simple deduplication. sort -u is slightly more efficient. sort | uniq is more flexible because uniq supports options like -c (count occurrences) and -d (show only duplicates) that sort -u does not.

Does uniq modify the input file? No. uniq reads from a file or standard input and writes to standard output. The original file is never modified. To save the result, use redirection: sort file.txt | uniq > deduped.txt.

How do I count unique lines in a file? Pipe through sort, uniq, and wc : sort file.txt | uniq | wc -l.

How do I find lines that only appear in one of two files? Merge both files and use uniq -u: sort file1.txt file2.txt | uniq -u. Lines shared by both files become duplicates in the merged sorted stream and are suppressed. Lines that exist in only one file remain unique and are printed.

Can uniq work on columns instead of full lines? Yes. Use -f N to skip the first N fields, -s N to skip the first N characters, or -w N to limit comparison to the first N characters. This lets you deduplicate based on a portion of each line.

Conclusion #

The uniq command is a focused tool for filtering and counting duplicate lines. It is most effective when used after sort in a pipeline and pairs naturally with wc , grep , and head for text analysis tasks.

If you have any questions, feel free to leave a comment below.

TeamViewer is a cross-platform remote access and support solution that allows you to connect to and control remote computers over the internet. It supports remote control, file transfer, desktop sharing, and online meetings across Windows, macOS, and Linux.

This guide explains how to install TeamViewer on Ubuntu 24.04.

Quick Reference #

Prerequisites #

You need to be logged in as root or as a user with sudo privileges .

Installing TeamViewer on Ubuntu 24.04 #

TeamViewer is proprietary software and is not available in the standard Ubuntu repositories. You will download and install the official .deb package directly from TeamViewer.

Open your terminal and download the latest TeamViewer .deb package using wget :

wget https://download.teamviewer.com/download/linux/teamviewer_amd64.deb

Once the download is complete, update the package index and install the package:

sudo apt update
sudo apt install ./teamviewer_amd64.deb

When prompted Do you want to continue? [Y/n], type Y to confirm.

TeamViewer is now installed on your Ubuntu 24.04 system.

Starting TeamViewer #

You can launch TeamViewer from the command line:

teamviewer

Alternatively, open the Activities menu, search for “TeamViewer”, and click its icon.

When TeamViewer starts for the first time, it will prompt you to accept the license agreement. Click “Accept License Agreement” to continue.

After accepting, the main TeamViewer window opens and displays your ID and Password. Share these with anyone who needs to connect to your machine, or enter a remote computer’s ID to initiate a connection yourself.

Updating TeamViewer #

During installation, the official TeamViewer repository is added to your system. You can verify it with the cat command :

cat /etc/apt/sources.list.d/teamviewer.list

deb https://linux.teamviewer.com/deb stable main

Because the repository is configured, you can update TeamViewer the same way you update any other package:

sudo apt update
sudo apt upgrade teamviewer

You can also update through the Software Updater application in the GNOME desktop.

Uninstalling TeamViewer #

To remove TeamViewer while keeping its configuration files:

sudo apt remove teamviewer

To remove TeamViewer along with all its configuration files:

sudo apt purge teamviewer

To also remove the TeamViewer APT repository so it no longer appears in your package sources:

sudo rm /etc/apt/sources.list.d/teamviewer.list
sudo apt update

Troubleshooting #

teamviewer: command not found after installation Close and reopen your terminal, or log out and back in so the new binary is picked up by your shell’s PATH. If the issue persists, verify the installation with which teamviewer or dpkg -l teamviewer.

Qt library errors during installation Run sudo apt install -f to resolve broken or missing dependencies, then retry the installation.

dpkg error when installing the .deb file Run sudo dpkg --configure -a to fix any interrupted package operations, then run sudo apt install ./teamviewer_amd64.deb again.

TeamViewer shows “Not ready. Please check your connection.” This usually means the TeamViewer daemon is not running or cannot reach the internet. Try restarting the service:

sudo systemctl restart teamviewerd

Verify the service is active:

sudo systemctl status teamviewerd

Wrong architecture — running an ARM system The teamviewer_amd64.deb package is for 64-bit x86 systems. For ARM-based systems such as a Raspberry Pi running Ubuntu, download the ARM package from the TeamViewer Linux downloads page .

FAQ #

Is TeamViewer free on Linux? TeamViewer is free for personal and non-commercial use. Commercial use requires a paid license. See the TeamViewer pricing page for details.

Does the same installation method work on Ubuntu 22.04 and Debian? Yes. The same .deb package and apt install steps work on Ubuntu 22.04 and other Debian-based distributions. For Ubuntu 22.04 specific instructions, see How to Install TeamViewer on Ubuntu 22.04 .

How do I connect to a remote computer? Open TeamViewer, enter the remote computer’s ID in the “Partner ID” field, and click “Connect”. Enter the password when prompted. The remote session starts immediately if the correct credentials are provided.

How do I allow unattended access? In the TeamViewer main window, go to Extras → Options → Security and set a personal password. This allows connections to your machine without requiring someone to be present to share the one-time password.

Conclusion #

TeamViewer can be installed on Ubuntu 24.04 in two commands — download the .deb package and install it with apt. The TeamViewer repository added during installation keeps the application up to date through the standard Ubuntu update process.

If you have any questions, feel free to leave a comment below.

top is a command-line utility that displays running processes and system resource usage in real time. It helps you inspect CPU usage, memory consumption, load averages, and process activity from a single interactive view.

This guide explains how to use top to monitor your system and quickly identify resource-heavy processes.

top Command Syntax #

The syntax for the top command is as follows:

top [OPTIONS]

Run top without arguments to open the interactive monitor:

top

Understanding the top Output #

The screen is split into two areas:

• Summary area — system-wide metrics displayed in the header lines
• Task area — per-process metrics listed below the header

A typical top header looks like this:

top - 14:32:01 up 3 days, 4:12, 2 users, load average: 0.45, 0.31, 0.28
Tasks: 213 total, 1 running, 212 sleeping, 0 stopped, 0 zombie
%Cpu(s): 3.2 us, 1.1 sy, 0.0 ni, 95.3 id, 0.2 wa, 0.0 hi, 0.1 si, 0.0 st
MiB Mem : 15886.7 total, 8231.4 free, 4912.5 used, 2742.8 buff/cache
MiB Swap: 2048.0 total, 2048.0 free, 0.0 used. 10374.2 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1234 www-data 20 0 123456 45678 9012 S 4.3 0.3 0:42.31 nginx
987 mysql 20 0 987654 321098 12345 S 1.7 2.0 3:12.04 mysqld
5678 root 20 0 65432 5678 3456 S 0.0 0.0 0:00.12 sshd

CPU State Percentages #

The %Cpu(s) line breaks CPU time into the following states:

• us — time running user-space (non-kernel) processes
• sy — time running kernel processes
• ni — time running user processes with a manually adjusted nice value
• id — idle time
• wa — time waiting for I/O to complete
• hi — time handling hardware interrupt requests
• si — time handling software interrupt requests
• st — time stolen from this virtual machine by the hypervisor (relevant on VMs)

High wa typically points to a disk or network I/O bottleneck. High us or sy points to CPU pressure. For memory details, see the free command. For load average context, see uptime .

Task Area Columns #

Common Interactive Controls #

Press these keys while top is running:

Refresh Interval and Batch Mode #

To change the refresh interval (seconds), use -d:

top -d 2

To run top in batch mode (non-interactive), use -b. This is useful for scripts and logs:

top -b -n 1

To capture multiple snapshots:

top -b -n 5 -d 1 > top-snapshot.txt

Filtering and Sorting #

Start top with a user filter:

top -u root

To monitor a specific process by PID, use -p:

top -p 1234

Pass a comma-separated list to monitor multiple PIDs at once:

top -p 1234,5678

To show individual threads instead of processes, use -H:

top -H

Thread view is useful when profiling multi-threaded applications — each thread appears as a separate row with its own CPU and memory usage.

Inside top, use:

• P to sort by CPU
• M to sort by memory
• u to show a specific user

For deeper process filtering, combine top with ps , pgrep , and kill .

Quick Reference #

Troubleshooting #

top is not installed Install the procps package (procps-ng on some distributions), then run top again.

Display refresh is too fast or too slow Use -d to tune the refresh rate, for example top -d 2.

Cannot kill or renice a process You may not own the process. Use sudo or run as a user with sufficient privileges.

FAQ #

What is the difference between top and htop? top is available by default on most Linux systems and is lightweight. htop provides a richer interactive UI with color coding, mouse support, and easier navigation, but requires a separate installation.

What does load average mean? Load average shows the average number of runnable or uninterruptible tasks over the last 1, 5, and 15 minutes. A value above the number of CPU cores indicates the system is under pressure. See uptime for more detail.

What is a zombie process? A zombie process has finished execution but its entry remains in the process table because the parent process has not yet read its exit status. A small number of zombie processes is harmless; a growing count may indicate a bug in the parent application.

What do VIRT, RES, and SHR mean? VIRT is the total virtual address space the process has reserved. RES is the actual physical RAM currently in use. SHR is the portion of RES that is shared with other processes (for example, shared libraries). RES minus SHR gives the memory used exclusively by that process.

Can I save top output to a file? Yes. Use batch mode, for example: top -b -n 1 > top.txt.

Conclusion #

The top command is one of the fastest ways to inspect process activity and system load in real time. Learn the interactive keys and sort options to diagnose performance issues quickly.

If you have any questions, feel free to leave a comment below.

sort is a command-line utility that sorts lines of text from files or standard input and writes the result to standard output. By default, sort arranges lines alphabetically, but it supports numeric sorting, reverse order, sorting by specific fields, and more.

This guide explains how to use the sort command with practical examples.

sort Command Syntax #

The syntax for the sort command is as follows:

sort [OPTIONS] [FILE]...

If no file is specified, sort reads from standard input. When multiple files are given, their contents are merged and sorted together.

Sorting Lines Alphabetically #

By default, sort sorts lines in ascending alphabetical order. To sort a file, pass the file name as an argument:

sort file.txt

For example, given a file with the following content:

banana
apple
cherry
date

Running sort produces:

apple
banana
cherry
date

The original file is not modified. sort writes the sorted output to standard output. To save the result to a file, use output redirection:

sort file.txt > sorted.txt

Sorting in Reverse Order #

To sort in descending order, use the -r (--reverse) option:

sort -r file.txt

date
cherry
banana
apple

Sorting Numerically #

Alphabetical sorting does not work correctly for numbers. For example, 10 would sort before 2 because 1 comes before 2 alphabetically. Use the -n (--numeric-sort) option to sort numerically:

sort -n numbers.txt

Given the file:

10
2
30
5

The output is:

2
5
10
30

To sort numerically in reverse (largest first), combine -n and -r:

sort -nr numbers.txt

30
10
5
2

Sorting by a Specific Column #

By default, sort uses the entire line as the sort key. To sort by a specific field (column), use the -k (--key) option followed by the field number.

Fields are separated by whitespace by default. For example, to sort the following file by the second column (file size):

report.pdf 2500
notes.txt 80
archive.tar 15000
readme.md 200

sort -k2 -n files.txt

notes.txt 80
readme.md 200
report.pdf 2500
archive.tar 15000

To use a different field separator, specify it with the -t option. For example, to sort /etc/passwd by the third field (UID), using : as the separator:

sort -t: -k3 -n /etc/passwd

Removing Duplicate Lines #

To output only unique lines (removing adjacent duplicates after sorting), use the -u (--unique) option:

sort -u file.txt

Given a file with repeated entries:

apple
banana
apple
cherry
banana

apple
banana
cherry

This is equivalent to running sort file.txt | uniq.

Ignoring Case #

By default, sort is case-sensitive. Uppercase letters sort before lowercase. To sort case-insensitively, use the -f (--ignore-case) option:

sort -f file.txt

Checking if a File Is Already Sorted #

To verify that a file is already sorted, use the -c (--check) option. It exits silently if the file is sorted, or prints an error and exits with a non-zero status if it is not:

sort -c file.txt

sort: file.txt:2: disorder: banana

This is useful in scripts to validate input before processing.

Sorting Human-Readable Sizes #

When working with output from commands like du, sizes are expressed in human-readable form such as 1K, 2M, or 3G. Standard numeric sort does not handle these correctly. Use the -h (--human-numeric-sort) option:

du -sh /var/* | sort -h

4.0K /var/backups
16K /var/cache
1.2M /var/log
3.4G /var/lib

Combining sort with Other Commands #

sort is commonly used in pipelines with other commands.

To count and rank the most frequent words in a file, combine grep , sort, and uniq:

grep -Eo '[[:alnum:]_]+' file.txt | sort | uniq -c | sort -rn

To display the ten largest files in a directory, combine sort with head :

du -sh /var/* | sort -rh | head -10

To extract and sort a specific field from a CSV using cut :

cut -d',' -f2 data.csv | sort

Quick Reference #

For a printable quick reference, see the sort cheatsheet .

Troubleshooting #

Numbers sort in wrong order
You are using alphabetical sort on numeric data. Add the -n option to sort numerically: sort -n file.txt.

Human-readable sizes sort incorrectly
Sizes like 1K, 2M, and 3G require -h (--human-numeric-sort). Standard -n only handles plain integers.

Uppercase entries appear before lowercase
sort is case-sensitive by default. Use -f to sort case-insensitively, or use LC_ALL=C sort to enforce byte-order sorting.

Output looks correct on screen but differs from file
Output redirection with > truncates the file before reading. Never redirect to the same file you are sorting: sort file.txt > file.txt will empty the file. Use a temporary file or the sponge utility from moreutils.

FAQ #

Does sort modify the original file?
No. sort writes to standard output and never modifies the input file. Use sort file.txt > sorted.txt or sort -o file.txt file.txt to save the output.

How do I sort a file and save it in place?
Use the -o option: sort -o file.txt file.txt. Unlike > file.txt, the -o option is safe to use with the same input and output file.

How do I sort by the last column?
Use a negative field number with the -k option: sort -k-1 sorts by the last field. Alternatively, use awk to reorder columns before sorting.

What is the difference between sort -u and sort | uniq?
sort -u is slightly more efficient as it removes duplicates during sorting. sort | uniq is more flexible because uniq supports options like -c (count occurrences) and -d (show only duplicates).

How do I sort lines randomly?
Use sort -R (random sort) or the shuf command: shuf file.txt. Both produce a random permutation of the input lines.

Conclusion #

The sort command is a versatile tool for ordering lines of text in files or command output. It is most powerful when combined with other commands like grep , cut , and head in pipelines.

If you have any questions, feel free to leave a comment below.

journalctl is a command-line utility for querying and displaying logs collected by systemd-journald, the systemd logging daemon. It gives you structured access to all system logs — kernel messages, service output, authentication events, and more — from a single interface.

This guide explains how to use journalctl to view, filter, and manage system logs.

journalctl Command Syntax #

The general syntax for the journalctl command is:

journalctl [OPTIONS] [MATCHES]

When invoked without any options, journalctl displays all collected logs starting from the oldest entry, piped through a pager (usually less). Press q to exit.

Only the root user or members of the adm or systemd-journal groups can read system logs. Regular users can view their own user journal with the --user flag.

Quick Reference #

For a printable quick reference, see the journalctl cheatsheet .

Viewing System Logs #

To view all system logs, run journalctl without any options:

journalctl

To show the most recent entries first, use the -r flag:

journalctl -r

To jump directly to the end of the log, use -e:

journalctl -e

To show the last N lines (similar to tail ), use the -n flag:

journalctl -n 50

To disable the pager and print directly to the terminal, use --no-pager:

journalctl --no-pager

Following Logs in Real Time #

To stream new log entries as they arrive (similar to tail -f), use the -f flag:

journalctl -f

This is one of the most useful options for monitoring a running service or troubleshooting an active issue. Press Ctrl+C to stop.

Filtering by Systemd Unit #

To view logs for a specific systemd service, use the -u flag followed by the unit name:

journalctl -u nginx

You can combine -u with other filters. For example, to follow nginx logs in real time:

journalctl -u nginx -f

To view logs for multiple units at once, specify -u more than once:

journalctl -u nginx -u php-fpm

To print the last 100 lines for a service without the pager:

journalctl -u nginx -n 100 --no-pager

For more on starting and stopping services, see how to start, stop, and restart Nginx and Apache .

Filtering by Time #

Use --since and --until to limit log output to a specific time range.

To show logs since a specific date and time:

journalctl --since "2026-02-01 10:00"

To show logs within a window:

journalctl --since "2026-02-01 10:00" --until "2026-02-01 12:00"

journalctl accepts many natural time expressions:

journalctl --since "1 hour ago"
journalctl --since "yesterday"
journalctl --since today

You can combine time filters with unit filters. For example, to view nginx logs from the past hour:

journalctl -u nginx --since "1 hour ago"

Filtering by Priority #

systemd uses the standard syslog priority levels. Use the -p flag to filter by severity:

journalctl -p err

The output will include the specified priority and all higher-severity levels. The available priority levels from highest to lowest are:

To view only warnings and above from the last hour:

journalctl -p warning --since "1 hour ago"

Filtering by Boot #

The journal stores logs from multiple boots. Use -b to filter by boot session.

To view logs from the current boot:

journalctl -b

To view logs from the previous boot:

journalctl -b -1

To list all available boot sessions with their IDs and timestamps:

journalctl --list-boots

The output will look something like this:

-2 abc123def456 Mon 2026-02-24 08:12:01 CET—Mon 2026-02-24 18:43:22 CET
-1 def456abc789 Tue 2026-02-25 09:05:14 CET—Tue 2026-02-25 21:11:03 CET
0 789abcdef012 Wed 2026-02-26 08:30:41 CET—Wed 2026-02-26 14:00:00 CET

To view logs for a specific boot ID:

journalctl -b abc123def456

To view errors from the previous boot:

journalctl -b -1 -p err

Kernel Messages #

To view kernel messages only (equivalent to dmesg ), use the -k flag:

journalctl -k

To view kernel messages from the current boot:

journalctl -k -b

To view kernel errors from the previous boot:

journalctl -k -p err -b -1

Filtering by Process #

In addition to filtering by unit, you can filter logs by process name, executable path, PID, or user ID using journal fields.

To filter by process name:

journalctl _COMM=sshd

To filter by executable path:

journalctl _EXE=/usr/sbin/sshd

To filter by PID:

journalctl _PID=1234

To filter by user ID:

journalctl _UID=1000

Multiple fields can be combined to narrow the results further.

Searching Log Messages #

To search log messages by a pattern, use the -g flag followed by a regular expression:

journalctl -g "failed"

To search within a specific unit:

journalctl -u ssh -g "invalid user"

You can also pipe journalctl output to grep for more complex matching:

journalctl -u nginx -n 500 --no-pager | grep -i "upstream"

Output Formats #

By default, journalctl displays logs in a human-readable format. Use the -o flag to change the output format.

To display logs with ISO 8601 timestamps:

journalctl -o short-iso

To display logs as JSON (useful for scripting and log shipping):

journalctl -o json-pretty

To display message text only, without metadata:

journalctl -o cat

The most commonly used output formats are:

Managing Journal Size #

The journal stores logs on disk under /var/log/journal/. To check how much disk space the journal is using:

journalctl --disk-usage

Archived and active journals take up 512.0M in the file system.

To reduce the journal size, use the --vacuum-size, --vacuum-time, or --vacuum-files options:

journalctl --vacuum-size=500M

journalctl --vacuum-time=30d

journalctl --vacuum-files=5

These commands remove old archived journal files until the specified limit is met. To configure a permanent size limit, edit /etc/systemd/journald.conf and set SystemMaxUse=.

Practical Troubleshooting Workflow #

When a service fails, we can use a short sequence to isolate the issue quickly. First, check service state with systemctl :

sudo systemctl status nginx

Then inspect recent error-level logs for that unit:

sudo journalctl -u nginx -p err -n 100 --no-pager

If the problem started after reboot, inspect previous boot logs:

sudo journalctl -u nginx -b -1 -p err --no-pager

To narrow the time window around the incident:

sudo journalctl -u nginx --since "30 minutes ago" --no-pager

If you need pattern matching across many lines, pipe to grep :

sudo journalctl -u nginx -n 500 --no-pager | grep -Ei "error|failed|timeout"

Troubleshooting #

“No journal files were found”
The systemd journal may not be persistent on your system. Check if /var/log/journal/ exists. If it does not, create it with mkdir -p /var/log/journal and restart systemd-journald. Alternatively, set Storage=persistent in /etc/systemd/journald.conf.

“Permission denied” reading logs
Regular users can only access their own user journal. To read system logs, run journalctl with sudo, or add your user to the adm or systemd-journal group: usermod -aG systemd-journal USERNAME.

-g pattern search returns no results
The -g flag uses PCRE2 regular expressions. Make sure the pattern is correct and that your journalctl version supports -g (available on modern systemd releases). As an alternative, pipe the output to grep.

Logs missing after reboot
The journal is stored in memory by default on some distributions. To enable persistent storage across reboots, set Storage=persistent in /etc/systemd/journald.conf and restart systemd-journald.

Journal consuming too much disk space
Use journalctl --disk-usage to check the current size, then journalctl --vacuum-size=500M to trim old entries. For a permanent limit, configure SystemMaxUse= in /etc/systemd/journald.conf.

FAQ #

What is the difference between journalctl and /var/log/syslog?
/var/log/syslog is a plain text file written by rsyslog or syslog-ng. journalctl reads the binary systemd journal, which stores structured metadata alongside each message. The journal offers better filtering, field-based queries, and persistent boot tracking.

How do I view logs for a service that keeps restarting?
Use journalctl -u servicename -f to follow logs in real time, or journalctl -u servicename -n 200 to view the most recent entries. Adding -p err will surface only error-level messages.

How do I check logs from before the current boot?
Use journalctl -b -1 for the previous boot, or journalctl --list-boots to see all available boot sessions and then journalctl -b BOOTID to query a specific one.

Can I export logs to a file?
Yes. Use journalctl --no-pager > output.log for plain text, or journalctl -o json-pretty > output.json for structured JSON. You can combine this with any filter flags.

How do I reduce the amount of disk space used by the journal?
Run journalctl --vacuum-size=500M to immediately trim archived logs to 500 MB. For a persistent limit, set SystemMaxUse=500M in /etc/systemd/journald.conf and restart the journal daemon with systemctl restart systemd-journald.

Conclusion #

journalctl is a powerful and flexible tool for querying the systemd journal. Whether you are troubleshooting a failing service, reviewing kernel messages, or auditing authentication events, mastering its filter options saves significant time. If you have any questions, feel free to leave a comment below.

PHP error reporting controls which errors are shown, logged, or silently ignored. Configuring it correctly is essential during development — where you want full visibility — and on production servers — where errors should be logged but never displayed to users.

This guide explains how to configure PHP error reporting using php.ini, the error_reporting() function, and .htaccess. If you are not sure which PHP version is active, first check it with the PHP version guide .

Quick Reference #

PHP Error Levels #

PHP categorizes errors into levels. Each level has a name (constant) and a numeric value. You can combine levels using bitwise operators to control exactly which errors are reported.

The most commonly used levels are:

• E_ERROR — fatal errors that stop script execution (undefined function, missing module)
• E_WARNING — non-fatal errors that allow execution to continue (wrong function argument, missing include)
• E_PARSE — syntax errors detected at parse time; always stop execution
• E_NOTICE — minor issues such as using an undefined variable; useful during development
• E_DEPRECATED — warnings about features that will be removed in future PHP versions
• E_ALL — all errors and warnings; recommended during development

For a full list of error constants, see the PHP error constants documentation .

Configure Error Reporting in php.ini #

The php.ini file is the main configuration file for PHP. Changes here apply globally to all PHP scripts on the server. After editing php.ini, restart the web server for the changes to take effect.

To find the location of your active php.ini file, run:

php --ini

Enable Error Reporting #

Open php.ini and set the following directives:

; Report all errors
error_reporting = E_ALL

; Display errors on the page (development only)
display_errors = On

; Display startup sequence errors
display_startup_errors = On

Log Errors to a File #

To write errors to a log file instead of displaying them, set:

; Disable displaying errors
display_errors = Off

; Enable error logging
log_errors = On

; Set the path to the log file
error_log = /var/log/php/error.log

Make sure the directory exists and is writable by the web server user. To create the directory:

sudo mkdir -p /var/log/php
sudo chown www-data:www-data /var/log/php

Recommended Development Configuration #

error_reporting = E_ALL
display_errors = On
display_startup_errors = On
log_errors = On
error_log = /var/log/php/error.log

Recommended Production Configuration #

error_reporting = E_ALL & ~E_DEPRECATED
display_errors = Off
display_startup_errors = Off
log_errors = On
error_log = /var/log/php/error.log

This reports all serious errors while suppressing deprecation notices, and logs everything without displaying anything to users.

Configure Error Reporting at Runtime #

You can override php.ini settings within a PHP script using the error_reporting() function and ini_set(). Runtime changes apply only to the current script.

To enable all errors at the top of a script:

<?php
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);

To report all errors except notices:

<?php
error_reporting(E_ALL & ~E_NOTICE);

To suppress all error output (not recommended for debugging):

<?php
error_reporting(0);

Runtime configuration is useful during development when you do not have access to php.ini, but it should not replace proper server-level configuration on production systems.

Configure Error Reporting in .htaccess #

If you are on a shared hosting environment without access to php.ini, you can configure PHP error reporting via .htaccess (when PHP runs as an Apache module):

php_flag display_errors On
php_value error_reporting -1
php_flag log_errors On
php_value error_log /var/log/php/error.log

Using -1 for error_reporting enables all possible errors, including those added in future PHP versions.

View PHP Error Logs #

Once log_errors is enabled, errors are written to the file specified by error_log. To monitor the log in real time, use the tail -f command:

tail -f /var/log/php/error.log

If no error_log path is set, PHP writes errors to the web server error log:

• Apache: /var/log/apache2/error.log
• Nginx + PHP-FPM: /var/log/nginx/error.log and /var/log/php/php-fpm.log

For related service commands, see how to start, stop, or restart Apache and how to start, stop, or restart Nginx .

Troubleshooting #

Errors are not displayed even with display_errors = On
Confirm you are editing the correct php.ini file. Run php --ini or call phpinfo() in a script to see which configuration file is loaded and the current value of display_errors.

Changes to php.ini have no effect
The web server must be restarted after editing php.ini. For Apache, run sudo systemctl restart apache2. For Nginx + PHP-FPM, restart Nginx and your versioned PHP-FPM service (for example, sudo systemctl restart nginx php8.3-fpm).

No errors appear in the log file
Check that the log file path is writable by the web server user (www-data or nginx), and that log_errors = On is set in the active php.ini.

ini_set('display_errors', '1') has no effect
Fatal parse errors (E_PARSE) occur before any PHP code runs, so ini_set() cannot catch them. Enable display_errors in php.ini or .htaccess to see parse errors.

Error suppression operator @ hides errors
PHP’s @ prefix suppresses errors for a single expression. If errors from a specific function are missing from logs, check whether the call is prefixed with @.

FAQ #

What is the difference between display_errors and log_errors?
display_errors controls whether errors are output directly to the browser or CLI. log_errors controls whether errors are written to the error log file. On production, always set display_errors = Off and log_errors = On.

Which error_reporting level should I use?
Use E_ALL during development to catch every possible issue. On production, use E_ALL & ~E_DEPRECATED to log serious errors while suppressing deprecation notices that do not require immediate action.

How do I check the current error reporting level?
Call error_reporting() with no arguments: it returns the current bitmask as an integer. You can also check it in the output of phpinfo().

Can I log errors to a database instead of a file?
Not directly via php.ini. Use a custom error handler registered with set_error_handler() and set_exception_handler() to send errors to a database, email, or external logging service.

Where is php.ini located?
Run php --ini from the command line or add <?php phpinfo(); ?> to a script and load it in a browser. The “Loaded Configuration File” row shows the active path. Common locations are /etc/php/8.x/cli/php.ini (CLI) and /etc/php/8.x/apache2/php.ini (Apache).

Conclusion #

During development, set error_reporting = E_ALL and display_errors = On in php.ini to see all errors immediately. On production, set display_errors = Off and log_errors = On to log errors silently without exposing details to users.

Make changes in php.ini for permanent server-wide configuration, use error_reporting() and ini_set() for per-script overrides, or use .htaccess on shared hosting without php.ini access.

If you have any questions, feel free to leave a comment below.

The patch command applies a set of changes described in a diff file to one or more original files. It is the standard way to distribute and apply source code changes, security fixes, and configuration updates in Linux, and pairs directly with the diff command.

This guide explains how to use the patch command in Linux with practical examples.

Syntax #

The general syntax of the patch command is:

patch [OPTIONS] [ORIGINALFILE] [PATCHFILE]

You can pass the patch file using the -i option or pipe it through standard input:

patch [OPTIONS] -i patchfile [ORIGINALFILE]
patch [OPTIONS] [ORIGINALFILE] < patchfile

patch Options #

Create and Apply a Basic Patch #

The most common workflow is to use diff to generate a patch file and patch to apply it.

Start with two versions of a file. Here is the original:

print("Hello, World!")
print("Version 1")

And the updated version:

print("Hello, Linux!")
print("Version 2")

Use diff with the -u flag to generate a unified diff and save it to a patch file:

diff -u hello.py hello_new.py > hello.patch

The hello.patch file will contain the following differences:

--- hello.py 2026-02-21 10:00:00.000000000 +0100
+++ hello_new.py 2026-02-21 10:05:00.000000000 +0100
@@ -1,2 +1,2 @@
-print("Hello, World!")
-print("Version 1")
+print("Hello, Linux!")
+print("Version 2")

To apply the patch to the original file:

patch hello.py hello.patch

patching file hello.py

hello.py now contains the updated content from hello_new.py.

Dry Run Before Applying #

Use --dry-run to test whether a patch will apply cleanly without actually modifying any files:

patch --dry-run hello.py hello.patch

patching file hello.py

If the patch cannot be applied cleanly, patch reports the conflict without touching any files. This is useful before applying patches from external sources or when you are unsure whether a patch has already been applied.

Back Up the Original File #

Use the -b option to create a backup of the original file before applying the patch. The backup is saved with a .orig extension:

patch -b hello.py hello.patch

patching file hello.py

After running this command, hello.py.orig contains the original unpatched file. You can restore it manually if needed.

Strip Path Components with -p #

When a patch file is generated from a different directory structure than the one where you apply it, the file paths inside the patch may not match your local paths. Use -p N to strip N leading path components from the paths recorded in the patch.

For example, a patch generated with git diff will reference files like:

--- a/src/utils/hello.py
+++ b/src/utils/hello.py

To apply this patch from the project root, use -p1 to strip the a/ and b/ prefixes:

patch -p1 < hello.patch

-p1 is the standard option for patches generated by git diff and by diff -u from the root of a project directory. Without it, patch would look for a file named a/src/utils/hello.py on disk, which does not exist.

Reverse a Patch #

Use the -R option to undo a previously applied patch and restore the original file:

patch -R hello.py hello.patch

patching file hello.py

The file is restored to its state before the patch was applied.

Apply a Multi-File Patch #

A single patch file can contain changes to multiple files. In this case, you do not specify a target file on the command line — patch reads the file names from the diff headers inside the patch:

patch -p1 < project.patch

patch processes each file name from the diff headers and applies the corresponding changes. Use -p1 when the patch was produced by git diff or diff -u from the project root.

Quick Reference #

Troubleshooting #

Hunk #1 FAILED at line N.
The patch does not match the current content of the file. This usually means the file has already been modified since the patch was created, or you are applying the patch against the wrong version. patch creates a .rej file containing the failed hunk so you can review and apply the change manually.

Reversed (or previously applied) patch detected! Assume -R?
patch has detected that the changes in the patch are already present in the file — the patch may have been applied before. Answer y to reverse the patch or n to skip it. Use -N (--forward) to automatically skip already-applied patches without prompting.

patch: **** malformed patch at line N
The patch file is corrupted or not in a recognized format. Make sure the patch was generated with diff -u (unified format). Non-unified formats require the -c (context) or specific format flag to be passed to patch.

File paths in the patch do not match files on disk.
Adjust the -p N value. Run patch --dry-run -p0 < changes.patch first, then increment N (-p1, -p2) until patch finds the correct files.

FAQ #

How do I create a patch file?
Use the diff command with the -u flag: diff -u original.txt updated.txt > changes.patch. The -u flag produces a unified diff, which is the format patch works with by default. See the diff command guide for details.

What does -p1 mean?
-p1 tells patch to strip one leading path component from file names in the patch. Patches generated by git diff prefix file paths with a/ and b/, so -p1 removes that prefix before patch looks for the file on disk.

How do I undo a patch I already applied?
Run patch -R originalfile patchfile. patch reads the diff in reverse and restores the original content.

What is a .rej file?
When patch cannot apply one or more sections of a patch (called hunks), it writes the failed hunks to a file with a .rej extension alongside the original file. You can open the .rej file and apply those changes manually.

What is the difference between patch and git apply?
Both apply diff files, but git apply is designed for use inside a Git repository and integrates with the Git index. patch is a standalone POSIX tool that works on any file regardless of version control.

Conclusion #

The patch command is the standard tool for applying diff files in Linux. Use --dry-run to verify a patch before applying it, -b to keep a backup of the original, and -R to reverse changes when needed.

If you have any questions, feel free to leave a comment below.