Copy-paste ready commands for disk usage, process management, log inspection, network troubleshooting, and more. No fluff — just the commands you reach for at 2 AM.
Everyday commands with flags you actually use.
Show disk space usage for all mounted filesystems in human-readable format. Quick first check when a server reports disk full errors.
df -h
# Show specific filesystem
df -h /var/log
# Show inodes (useful when df shows free space but writes fail)
df -iShow disk usage by directory. Start at root and drill down to find what's eating disk space.
du -sh /*
# Top 10 largest directories under /var
du -h /var | sort -rh | head -10
# Find files larger than 100MB
find / -type f -size +100M 2>/dev/nullList all running processes with CPU and memory usage. Pipe through sort and head to see the top consumers immediately.
# Top CPU consumers
ps aux --sort=-%cpu | head -20
# Top memory consumers
ps aux --sort=-%mem | head -20
# Find a specific process
ps aux | grep nginxInteractive real-time process viewer. Press M to sort by memory, P for CPU, k to kill a process by PID.
# Non-interactive snapshot (useful in scripts)
top -b -n 1 | head -30
# Show threads
top -H
# Monitor specific PID
top -p 1234Report memory and swap usage. The available column is what actually matters — it accounts for reclaimable cache.
free -h
# Watch memory every 2 seconds
watch -n 2 free -h
# Show memory in MB
free -mManage systemd services. The most common daily driver for controlling daemons on modern Linux distributions.
systemctl status nginx
systemctl restart nginx
systemctl reload nginx # Reload config without restart
systemctl enable --now nginx # Enable + start in one step
systemctl list-units --failed # Show failed unitsQuery the systemd journal. More powerful than grepping /var/log directly — filter by service, time range, or priority level.
# Recent errors with context
journalctl -xe
# Follow logs for a service
journalctl -fu nginx
# Logs since last boot
journalctl -b
# Last hour, errors only
journalctl --since "1 hour ago" -p errList all listening TCP and UDP ports with the process name. Replacement for netstat — faster and available by default on modern distros.
# All listening ports with process names
ss -tulpn
# Established connections only
ss -tnp state established
# Check if port 80 is in use
ss -tulpn | grep :80
# Connection count by state
ss -sCount TCP connections by state. Useful when investigating connection exhaustion or TIME_WAIT buildup under load.
# Count by state
ss -tn | awk 'NR>1 {print $1}' | sort | uniq -c | sort -rn
# Top remote IPs by connection count
ss -tn state established | awk 'NR>1 {print $5}' \
| cut -d: -f1 | sort | uniq -c | sort -rn | head -20Follow log files in real time or search for patterns. Combine with grep for filtering; use -A/-B flags for context lines.
# Follow a log file in real time
tail -f /var/log/syslog
# Show last 100 lines
tail -n 100 /var/log/nginx/error.log
# Follow + filter
tail -f /var/log/syslog | grep --line-buffered "error"
# Context around matches
grep -B2 -A5 "OOM" /var/log/syslogList block devices with filesystem types, labels, and UUIDs. Good first step when diagnosing mount issues or new disk provisioning.
lsblk -f
# Show disk info including model names
lsblk -o NAME,SIZE,MODEL,MOUNTPOINT
# Show UUIDs (useful for /etc/fstab)
blkidTrace system calls made by a process. Invaluable for debugging permission errors, missing files, and hangs — without source code.
# Attach to running process
strace -p 1234
# Filter by syscall type
strace -p 1234 -e trace=open,read,write
# Summary of syscall counts
strace -c -p 1234
# Trace a new command
strace ls /etcSend signals to processes. Always try SIGTERM (15) first — it lets the process clean up. SIGKILL (9) is the last resort and can leave temp files or locks behind.
# Graceful shutdown first
kill PID
# Force kill if it ignores SIGTERM
kill -9 PID
# Kill by name
pkill nginx
# Kill all matching, with confirmation prompt
pkill -e nginx
# Kill everything owned by a user
pkill -u www-dataExtended disk I/O statistics per device. Watch await (average I/O wait time in ms) and %util (device saturation). Values above 20ms await or 90% util are worth investigating.
# Extended stats, 1-second intervals, 5 samples
iostat -xz 1 5
# Key columns:
# r/s, w/s — reads/writes per second
# rkB/s — read throughput
# await — avg I/O response time (ms)
# %util — % of time device was busyCapture and inspect network packets. Invaluable for confirming whether traffic is actually reaching a server, debugging TLS handshake failures, or tracing unexpected connections.
# Capture port 80 traffic on eth0
tcpdump -i eth0 -nn port 80
# Capture to file for Wireshark analysis
tcpdump -i eth0 -w /tmp/capture.pcap
# Show only SYN packets (new connections)
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'
# Filter by host and port
tcpdump -i any host 10.0.0.5 and port 443View and edit scheduled cron jobs. When a job isn't running, check the cron logs and verify the PATH — cron runs with a minimal environment, so absolute paths are safer.
# List current user's crontab
crontab -l
# Edit crontab
crontab -e
# List another user's crontab
crontab -u www-data -l
# Check cron execution logs
grep CRON /var/log/syslog | tail -20
# System-wide cron jobs
ls /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/Extract and aggregate data from structured log files. Faster than writing scripts for common tasks like counting 5xx errors or finding the top client IPs.
# Count HTTP 5xx errors in nginx access log
awk '$9 >= 500' /var/log/nginx/access.log | wc -l
# Top 10 client IPs by request count
awk '{print $1}' /var/log/nginx/access.log \
| sort | uniq -c | sort -rn | head -10
# Average response time (field 11 in some formats)
awk '{sum+=$11; count++} END {print sum/count "ms avg"}' /var/log/nginx/access.logTrace the network path to a host and measure per-hop latency. mtr combines ping and traceroute into a live view — better for diagnosing intermittent packet loss at a specific hop.
# Interactive live view
mtr example.com
# Non-interactive report (good for sharing)
mtr --report --report-cycles 10 example.com
# Classic traceroute (UDP by default)
traceroute example.com
# TCP traceroute (bypasses some firewalls)
traceroute -T -p 443 example.comEfficiently sync files locally or over SSH. Transfers only changed blocks, preserves permissions and timestamps, and can resume interrupted transfers.
# Sync to remote host
rsync -avz --progress /src/ user@host:/dest/
# Dry run first — always a good idea
rsync -avzn /src/ user@host:/dest/
# Delete files at destination not in source
rsync -avz --delete /src/ /dest/
# Exclude directories
rsync -avz --exclude='*.log' --exclude='tmp/' /src/ /dest/Always test nginx configuration before reloading. A bad config with a plain reload will silently fail; nginx -t catches syntax errors first without dropping connections.
# Test then reload in one command
nginx -t && systemctl reload nginx
# Test a specific config file
nginx -t -c /etc/nginx/nginx.conf
# Apache equivalent
apachectl configtest && systemctl reload apache2
# Show compiled-in modules and paths
nginx -V 2>&1 | tr -- - '\n' | grep -E 'prefix|conf'System-wide snapshot of CPU, memory, swap, and I/O every N seconds. The si/so (swap-in/swap-out) columns are the fastest way to confirm active swapping.
# Wide output, 1-second intervals, 10 samples
vmstat -w 1 10
# Key columns:
# r — processes waiting for CPU
# b — processes blocked on I/O
# si — swap read from disk (KB/s)
# so — swap written to disk (KB/s)
# us/sy/wa — user, sys, iowait CPU %List open files for a process — includes regular files, sockets, pipes, and devices. Useful for finding deleted-but-open files, checking which files a process is writing to, or who has a file locked.
# All open files for a PID
lsof -p PID
# What's using port 8080
lsof -i :8080
# Files opened by a user
lsof -u www-data
# Deleted files still held open (disk leak)
lsof | grep deleted
# Network connections for a process
lsof -p PID -iNo commands found matching . Try a different keyword.
Step-by-step diagnosis for common production incidents.
free, /proc/meminfo, smem, and when to worry about high memory usage versus normal caching behavior.
Using find, du, and ncdu to track down what's filling your disk. Includes sorted output and log rotation tips.
What thread counts mean in ps and /proc, why high counts aren't always a problem, and when they are.
CPU-bound or I/O-bound? How to tell the difference fast, find the offending process, and stop guessing.
Load is high but CPU looks idle. How to confirm a disk bottleneck with iostat, find the culprit process with iotop, and trace it to the exact file.
Quick health checks you can run over SSH right now.
# Load average (1, 5, 15 min)
uptime
# CPU info and core count
nproc
lscpu | grep -E 'CPU|Core|Thread'
# Real-time CPU stats
mpstat -P ALL 1 3
# Per-process CPU over time
pidstat 1 5# Current memory snapshot
free -h
# Detailed breakdown
cat /proc/meminfo | grep -E 'MemTotal|MemFree|MemAvailable|Cached|Buffers|SwapUsed'
# OOM killer activity
dmesg | grep -i "oom\|killed process"
# Swap usage by process
for p in /proc/[0-9]*/status; do
awk '/^(Name|VmSwap)/{printf "%s ",$2}' "$p"
echo
done | sort -k2 -rn | head -10# I/O stats per device (1-sec intervals)
iostat -xz 1 3
# Processes doing the most I/O
iotop -o -b -n 3
# Disk read/write throughput
cat /proc/diskstats
# Check for I/O scheduler
cat /sys/block/sda/queue/scheduler# Interface stats (bytes in/out)
ip -s link
# Watch bandwidth in real time
sar -n DEV 1 5
# Dropped packets check
ip -s link | grep -A4 "eth\|ens\|bond"
# TCP retransmit rate
ss -s | grep -i retrans# Everything at once
vmstat -w 1 5
# System info summary
hostnamectl
# Hardware errors (check dmesg for disk errors)
dmesg -T | grep -i "error\|fail\|warn" | tail -20
# Uptime and who is logged in
w# System-wide open files
cat /proc/sys/fs/file-nr
# Per-process fd usage
ls /proc/PID/fd | wc -l
# Configured limits
ulimit -n
# Check nginx or any service
cat /proc/$(pidof nginx | awk '{print $1}')/limitsFrom basic connectivity checks to firewall inspection.
DNS lookups with detailed output. Preferred over nslookup for scripting and troubleshooting propagation issues.
# Quick A record
dig +short example.com
# Full response with TTL
dig example.com A
# Reverse lookup
dig -x 8.8.8.8
# Query specific DNS server
dig @1.1.1.1 example.com
# Check MX records
dig example.com MX +shortModern replacement for ifconfig and route. Part of iproute2, available on all modern Linux systems.
# Show routing table
ip route show
# Show all interfaces and IPs
ip addr show
# Add a temporary route
ip route add 10.0.0.0/8 via 192.168.1.1
# Show neighbor table (ARP)
ip neigh showInspect firewall rules. Always check iptables before assuming a service is down — a blocked port is easy to miss.
# List all rules with line numbers
iptables -L -n -v --line-numbers
# Check nftables (newer systems)
nft list ruleset
# UFW status (Ubuntu)
ufw status verbose
# firewalld (RHEL/CentOS)
firewall-cmd --list-allTest HTTP endpoints, check headers, follow redirects. More useful than a browser when debugging server-side issues over SSH.
# Verbose request with timing
curl -v --max-time 10 https://example.com
# Check HTTP status code only
curl -o /dev/null -s -w "%{http_code}" https://example.com
# Follow redirects
curl -L https://example.com
# Test with specific DNS/IP
curl --resolve example.com:443:1.2.3.4 https://example.comFinding signal in the noise across syslog, journal, and application logs.
| Log File | What It Contains | Quick Check |
|---|---|---|
/var/log/syslogor messages on RHEL |
General system activity, kernel messages, daemon output | |
/var/log/auth.log |
SSH logins, sudo usage, PAM authentication, failed login attempts | |
/var/log/kern.log |
Kernel messages: hardware errors, OOM kills, filesystem issues | |
/var/log/nginx/ |
Access and error logs for Nginx. 5xx errors indicate application issues | |
journalctl |
Unified systemd journal. Covers all services without separate log files |
In-depth explanations for when the man page isn't enough.
Walking through free, /proc/meminfo, and smem — and explaining why "used" memory doesn't always mean what you think it does.
When df shows 98% usage and you need to know what to delete. Practical use of find, du, and ncdu.
What those thread numbers in ps and top mean, how to read /proc/PID/status, and when a high thread count actually signals a problem.
Load average spiked and your SSH session feels like wet concrete. Before you reboot anything, here's how to figure out whether it's CPU, disk I/O, or swap that's actually misbehaving.
Load is high but CPU looks idle — that means disk. Step-by-step: confirm with vmstat, find the saturated device with iostat, and trace it to the exact process and file.