Why Logs Should Be Your First Stop
Most Clash users troubleshoot by toggling modes, switching nodes, or pasting a new subscription link. Those moves sometimes work, but they hide the real question: did Clash classify this connection correctly, and did the chosen path complete? A connection log answers that in one place. Instead of debating whether “the rule is wrong” or “the airport is down,” you can read a short line that names the rule hit, the policy or policy group involved, and often the destination host or IP. From there, fixes become targeted—move a rule, adjust DNS, or swap a single unhealthy server—rather than random.
This guide assumes a Meta-class core (Mihomo) behind a modern GUI such as Clash Verge Rev on Windows or ClashX Pro on macOS. Exact log wording varies slightly by build and UI skin, but the mental model is stable: rules are evaluated in order, the first match wins, and everything downstream (resolver, outbound, TLS handshake) leaves fingerprints in the same stream. If your profile still follows legacy patterns, refresh the big picture with our split routing guide for China DIRECT and overseas proxy before you chase ghosts in the log.
Where to Open Connection Logs
Every maintained client exposes logs somewhere obvious once you know the pattern: a Logs, Connections, or Event panel with a verbosity selector. Turn the level high enough to see per-connection lines, not only startup banners. On desktop GUIs you usually get a rolling buffer; copy the few lines around your failing test instead of exporting megabytes of history. Mobile builds may truncate aggressively—reproduce the issue once with the panel open.
Some interfaces split traffic view (live flows) from text log (formatted events). Both are useful: the traffic view highlights which process opened the socket; the text log often prints the rule hit label exactly as it appears in your YAML. Use them together when a browser works but a command-line tool does not, because the application may be resolving DNS through a different stack.
If you rely on subscription-only setups, confirm the profile actually loaded—stale or empty providers produce empty outbounds and confusing errors. Our Clash subscription URLs and multi-source management article walks through healthy import habits so your log is not polluted by missing nodes before you debug rules.
Anatomy of a Typical Connection Line
While formats differ, a useful log line usually bundles several facts: the network type (TCP or UDP), the destination (hostname, IP, or both), the matched rule name or type, and the outbound or nested policy group that handled the flow. Advanced builds may add timing, chosen chain, or sniffed domain for TLS traffic. You do not need to memorize every field—focus on four anchors.
First, destination identity. If you see only an IP, ask how that IP was obtained. In fake-ip mode the address may be synthetic until sniffing maps it back to a name; mis-readings here look like “wrong country” when the issue is resolver stage, not routing. Second, rule match. This is your rule hit: proof of which line in the ordered list fired. Third, policy output—often a selector called PROXY or an automatic group such as URL-TEST. Fourth, result state: success, timeout, reset, or handshake failure. The last token tells you whether to walk backward into DNS or forward into node health.
UDP lines deserve a separate glance. DNS queries may show up as small repeated packets; QUIC video or voice chat shows larger bursts. If only UDP fails while TCP works, check firewall overlays and whether your profile accidentally sends QUIC down a path that blocks UDP upstream. For system-wide capture nuances, pair this article with our Clash TUN mode guide, because TUN changes which processes even reach the core.
Rule Hits and Strict Ordering
Clash evaluates rules from top to bottom; the first match short-circuits the rest. That single rule explains most “why did my carefully written DOMAIN-SUFFIX never run?” moments. If a broad catch-all sits above your surgical exception, the log will faithfully report the broad rule every time. When you see an unexpected rule hit, do not tweak the exception in isolation—open the YAML and scan upward for shadowing lines, including entries injected by rule providers.
GEOIP and large provider bundles are powerful but blunt. A domain that resolves to an unusual anycast range might miss your GEOIP expectation; conversely, a CDN edge in another region might push traffic through a proxy you did not intend. The log tells you what actually happened, not what the documentation promised. Adjust ordering or add a narrow DOMAIN rule, then reload and re-test one site at a time.
Remember that MATCH is still a rule—just the last one. Seeing MATCH in the log is not failure; it means nothing earlier applied. If MATCH sends traffic to a proxy by default, overseas sites may work while domestic banking sites break unless GEOIP or explicit DIRECT lines precede it.
Telling DNS Problems From Routing Problems
Symptoms overlap: both can yield “server not found” or endless loading. Use the log timeline. DNS failures often appear early, sometimes with resolver-specific error text or repeated short UDP bursts to port 53. By contrast, a successful resolve followed by a stalled TCP handshake usually points to the outbound path—policy group selection, node congestion, or TLS interception on the remote side.
fake-ip mode optimizes rule evaluation by answering clients with local synthetic addresses, then mapping back to real names for TLS where supported. When something in that chain desynchronizes—corporate SSO, captive portals, or split intranet zones—you may see correct rule hits with broken applications because the name never lined up with the IP stage. Temporarily testing with redir-host or a conservative resolver stack (in a lab profile) can confirm the diagnosis without abandoning fake-ip forever.
Also compare the browser to the OS resolver. Chrome may use secure DNS independently; curl might read /etc/resolv.conf on Linux. If logs differ for the same site across tools, unify resolver policy first, then re-check Clash logs for a clean story.
When the Rule Is Right but the Node Is Wrong
A perfect rule hit that sends traffic to PROXY can still fail if the selected server is offline, rate-limited, or routed through an uplink with huge packet loss. Automatic groups (url-test, fallback) exist to absorb that pain: they periodically measure latency to a probe URL and migrate flows when health drops. Read the log for which concrete server name was active during the failure, not only the group label.
If failures cluster on one country or provider, rotate manually within the same group to confirm. If every node fails only for one destination ASN, suspect IP reputation or blocking upstream rather than your YAML. Traceroute and MTR are optional extras; the log already told you the outbound—now validate the business relationship between that hop and the site.
Avoid circular health checks: pointing a probe at a domain that itself requires proxy to reach can make automatic groups thrash. Many advanced templates add DIRECT exceptions for probe hosts; mirror that pattern if you author custom groups.
A Practical Troubleshooting Workflow
Follow a fixed sequence to avoid thrashing. Step one: reproduce once with logging at connection granularity. Step two: identify destination, rule hit, and outbound. Step three: if routing looks wrong, edit order or add a narrow rule; reload; repeat. Step four: if routing looks right, switch node or wait for an automatic group to cycle. Step five: if TCP still resets, capture whether DNS preceded the failure; adjust resolver or fake-ip settings. Step six: for stubborn single-app issues, compare process-level bypass against system proxy or TUN coverage.
Document outcomes in plain language—”site X required DOMAIN-SUFFIX foo above GEOIP”—so the next profile update does not undo your work. Treat configuration like code review: small diffs, one hypothesis per change.
For subscription hygiene—expired airports masquerading as routing bugs—refresh on a schedule and verify node counts before opening the log. Noise from empty groups makes every symptom look like cryptography gone wrong.
Verbosity, Sampling, and Privacy
Higher log levels help developers but overwhelm readers. Crank verbosity up only while actively debugging, then return to a quieter default to reduce disk wear on mobile and accidental leakage of hostnames in screenshots. When you share logs publicly, redact tokens, internal hostnames, and provider-specific endpoints.
Remember that logs describe technical behavior, not legal clearance. Use them to improve your own network experience in compliance with local rules and provider terms.
Closing Thoughts
Clash logs turn opaque network pain into a short checklist: match, outbound, result. Mastering rule hits does not require memorizing every keyword—only respecting rule order, aligning DNS with your split template, and verifying nodes independently of YAML beauty contests. That discipline saves hours compared with reinstalling clients or chasing unrelated speed-test numbers.
Compared with opaque all-in-one VPN apps, Clash keeps the evidence trail visible. Use it. When you are ready to install a maintained client and apply what you read here line by line, start from a single trusted download entry point so signatures and update channels stay predictable. → Download Clash for free and experience the difference between blind toggling and log-driven fixes you can explain to your future self.