| **Log Source**       | **File/Log**                              | **Sample Command**                                                                      | **Purpose/What You'll See**                |
| -------------------- | ----------------------------------------- | --------------------------------------------------------------------------------------- | ------------------------------------------ |
| **Nginx (Access)**   | `/var/log/nginx/access.log`               | `tail -f /var/log/nginx/access.log`                                                     | Live/new web access requests               |
|                      |                                           | `less /var/log/nginx/access.log`                                                        | Browse/search whole log                    |
|                      |                                           | `awk '{print $1}' /var/log/nginx/access.log \| sort \| uniq -c \| sort -nr \| head -20` | Top IPs by request count                   |
|                      |                                           | `grep "404" /var/log/nginx/access.log`                                                  | List 404 errors                            |
| **Nginx (Error)**    | `/var/log/nginx/error.log`                | `tail -f /var/log/nginx/error.log`                                                      | See live Nginx errors                      |
|                      |                                           | `less /var/log/nginx/error.log`                                                         | Browse/search error log                    |
| **fail2ban**         | `/var/log/fail2ban.log`                   | `tail -f /var/log/fail2ban.log`                                                         | See bans/unbans in real-time               |
|                      |                                           | `less /var/log/fail2ban.log`                                                            | Search/crawl entire fail2ban history       |
|                      | fail2ban-client                           | `sudo fail2ban-client status`                                                           | See all jails and summary info             |
|                      |                                           | `sudo fail2ban-client status sshd`                                                      | See status and bans for SSH jail           |
| **SSH (Auth)**       | `/var/log/auth.log`                       | `tail -f /var/log/auth.log`                                                             | Watch all authentication events live       |
|                      |                                           | `grep "Failed password" /var/log/auth.log`                                              | Failed SSH logins                          |
|                      |                                           | `grep "Accepted publickey" /var/log/auth.log`                                           | SSH key-based logins                       |
| **UFW Firewall**     | `/var/log/ufw.log`                        | `tail -f /var/log/ufw.log`                                                              | See UFW firewall activity live             |
|                      |                                           | `grep "BLOCK" /var/log/ufw.log`                                                         | Blocked packets                            |
| **Systemd/Journald** | `journalctl` (aggregates most logs)       | `sudo journalctl -u nginx`                                                              | Nginx logs (including service restarts)    |
|                      |                                           | `sudo journalctl -u gunicorn-sechome`                                                   | Flask/Gunicorn service logs                |
|                      |                                           | `sudo journalctl -u fail2ban`                                                           | fail2ban service logs                      |
|                      |                                           | `sudo journalctl -xe`                                                                   | Recent system events/errors                |
| **Mail**             | `/var/log/mail.log` or `/var/log/maillog` | `tail -f /var/log/mail.log`                                                             | Outgoing/incoming mail messages and errors |
| **Flask/Gunicorn**   | service/stdout (journal, systemd)         | `sudo journalctl -u gunicorn-sechome`                                                   | Gunicorn service output/errors             |
|                      | (if logging manually)                     | `tail -f /path/to/your/flask.log`                                                       | Flask app logs if file logging is enabled  |

**Tip:**

- Use `less` for full log browsing, `tail -n N` to see the last _N_ lines, and `grep` for pattern search. Pipe (`|`) as needed for more complex findings.
- Replace `gunicorn-sechome` with your actual systemd service name if different.
- Most commands work instantly in your Kitty/terminal, and you can combine them for more granular forensics (e.g., `grep "POST" /var/log/nginx/access.log | less`).