In system monitoring Linuxistration, we all end up building our own reflexes. A top here, a netstat there, a du -sh * when the disk fills up. These commands work, no one would argue otherwise. But they are showing their age. Tools have evolved, so have Linux kernels, and some alternatives more than deserve to replace your old habits.
This article presents five commands I use daily in production. They are not exotic, they don't require manual compilation, and they ship with most recent distributions. Their common thread: they do the job better, faster, and with more precision than their predecessors.
1. ss -- The modern replacement for netstat
If you are still using netstat, it is time to switch to ss. The ss command (Socket Statistics) queries the kernel's netlink subsystem directly, whereas netstat parses the /proc pseudo-filesystem. The result: noticeably lower response times, especially on servers with thousands of active connections.
Beyond performance, ss offers a built-in filtering system that is far more powerful than what netstat provides. You can filter by state, by port, by address, and even by buffer size.
# List all listening TCP connections along with the owning process
ss -tlnp
# Show established connections to port 443
ss -tn state established dport = :443
# View sockets with their timers (handy for debugging stuck connections)
ss -tnposs with watch to monitor connections evolving in real time: watch -n 1 'ss -tn state established | wc -l'. Useful for observing behavior during a deployment or a load spike.
2. journalctl -- Mastering systemd logs
Logs are where the real battle is fought in system administration. With systemd having become the norm on nearly every distribution, journalctl is the go-to tool for reading them. Unlike the classic tail -f /var/log/syslog, journalctl offers structured indexing and filtering by unit, by priority, and by time range.
One of its major advantages is correlation: you can cross-reference logs from several services over a precise time window, which considerably simplifies incident diagnosis.
# Follow logs in real time for a specific service
journalctl -fu nginx.service
# Show errors (priority 3 and below) since this morning
journalctl -p err --since today
# View logs from the previous boot only
journalctl -b -1 --no-pagerjournalctl --disk-usage and configure rotation in /etc/systemd/journald.conf via the SystemMaxUse setting. On a production server, 500 MB to 1 GB is usually enough.
3. lsof -- See who is using what
lsof (List Open Files) is one of those tools you underestimate until you really need it. On Linux, everything is a file: network sockets, pipes, devices, open files. lsof gives you a complete view of what each process is using.
It is an irreplaceable diagnostic tool. A locked file you can't delete? lsof. A port already taken when a service starts? lsof. A process burning through too many file descriptors? lsof again.
# Find which process is using port 8080
lsof -i :8080
# List all files opened by a specific process
lsof -p 1234
# Find deleted files still held open (to free up disk space)
lsof +L1lsof +L1 command is especially useful when a disk shows as full while du doesn't reveal enough data to justify the usage. Files that have been deleted but are still open by processes keep occupying space until the process releases them. Identify them and restart the service in question.
4. ncdu -- Analyze disk usage interactively
Managing disk space is part of every sysadmin's daily routine. The classic reflex is to chain du -sh * calls across different directories to find what is taking up room. It is tedious and slow, especially on deep directory trees.
ncdu (NCurses Disk Usage) solves this with a text-mode interface that scans the filesystem once, then lets you navigate the tree in real time. You immediately see which directories and files consume the most space, without having to rerun any command.
# Scan the current directory interactively
ncdu
# Scan the root while excluding remote mounts
ncdu -x /
# Export the scan to a file for later analysis
ncdu -o /tmp/scan.json /var
ncdu -f /tmp/scan.jsonncdu, use the export option. Run the scan on the server with ncdu -o -x / | gzip > scan.gz, bring the file back, then view it locally with zcat scan.gz | ncdu -f -. You get the full analysis without an interactive interface running on the server.
5. strace -- Understand what a process is really doing
When a program behaves unexpectedly and the logs aren't enough, strace becomes your best ally. This command intercepts and displays every system call a process makes: file opens, network connections, reads, writes, signals.
strace isn't a tool you reach for every day, but when you need it, nothing else will do. A service that refuses to start with no clear error message? A program reading an unexpected configuration file? A network connection that fails silently? strace shows you exactly what is happening under the hood.
# Trace the system calls of a command
strace -f -e trace=network curl -s https://example.com
# Attach to a running process and filter file accesses
strace -p 1234 -e trace=open,openat,read,write
# Measure time spent in each system call (performance diagnosis)
strace -c -p 1234strace significantly slows down the traced process. In production, prefer the -c option, which produces a statistical summary with lower overhead, or cap the duration with timeout 10 strace -p PID. Never leave a strace running indefinitely on a critical process.
In summary
These five commands cover the fundamental diagnostic needs of system administration. ss for the network, journalctl for the logs, lsof for files and processes, ncdu for disk space, and strace for deep debugging.
None of them is revolutionary on its own. But mastered together, they form a coherent diagnostic kit that will let you solve the vast majority of problems you encounter on a Linux server. Take the time to practice them in a test environment, explore their options, and they will quickly become natural reflexes in your daily work.
System administration isn't about magic tools, it is about method and knowing your environment. These commands are simply the right tools to get there efficiently.
Comments