Linux log file monitor

3 Ways to Watch Logs in Real Time in Linux

Here’s how to use tail command effectively for watching log files in real time. Less and Mutitail commands also come in handy.

You know how to view files in Linux. You use cat command or probably less command for this purpose.

That’s good for files that has static content. But log files are dynamic and their content change with time. To monitor logs, you need to watch the log file as its content changes.

How do you see the content of log files in real time? Tail is the most popular command for this purpose but there are some other tools as well. I’ll show them to you in this tutorial.

Method 1: Watch log files with the tail command

The tail command is so popular for viewing log files in real life that sysadmins use the term ‘tail the log file’.

The tail command is essentially used for showing the lines of a file from the end and hence the term ‘tail’.

You can use the -f option to follow the tail of a file, which means that it will keep on showing the new lines added to the file continuously.

tail -f location_of_log_file

To stop the tailing of the log file, use Ctrl+C terminal shortcut.

Tail and grep

Alright! So the tail command solves a problem by showing the file changes in real life. But watching the log file continuously when there are so many rapid changes happening in real time is not very helpful.

You’ll often be looking for a particular term when monitoring the log file. Finding that in the flood of incoming new lines is close to impossible.

To make things easier, combine the tail and grep command like this:

tail -f log_file | grep search_term

This is good, right? Let’s make it a bit better.

I have often found that just the lines with searched terms don’t reveal the necessary details. This is why I use grep command to show a few lines before and after the searched term with option -C .

tail -f log_file | grep -C 3 search_term

Now, you’ll see the lines matching the search term along with 3 lines before and after it. This will give a better perspective on what’s happening.

Want to make it even better? You can grep on multiple search term and even make it a case insensitive search:

tail -f log_file | grep -C 3 -i - E 'search_term_1|search_term_2'

Tailing the file with log rotation

If you are working on an enterprise server, chances are that logs are rotated. This means that after the current log file reaches a certain size, it is renamed and zipped.

That creates a problem if you are tailing a log file in real time. By default, the tail command works on the file descriptor. If the current log file is rotated, tail command will now be pointing to an archived log file which will not be recording any change now.

The solution is to follow a log file by its name. This way, even when log rotation takes place, the tail will be pointing to the current log file (because its name never changes).

tail --follow=name log_file | grep -C 3 -i - E 'search_term_1|search_term_2'

This is a lot better now. The next time you tail a log file, use it this way to monitor it more effectively.

Tail is nice for monitoring a log file in real time but what if you have to analyze more than one log files at the same time? The answer lies in the next section.

Watching multiple log files with tail

This should work in Linux systems. You can monitor multiple log files at the same time with the tail command. Just provide the path of the file in this manner:

tail -f log_file_1 -f log_file_2

You’ll see that it starts showing the real time changes along with the file name before it so that you can distinguish between different log sources.

There is a slightly better way to view multiple log files at once using a utility called multitail.

Method 2: Monitor multiple log files at once with multitail

Multitail, as the name suggests, is used to display multiple files at once.

What’s the big deal? The tail command can also do the same, right?

But Multitail has some advantage over the conventional tail command. It shows the files in split views and you can even show different files in different rows and columns.

Remember, tail shows everything in the same view and that becomes difficult to follow. Multitail overcomes this difficulty by providing split view like the screen command.

You can provide several files to it but I think more than 3 files would be difficult to follow at a time.

multitail log_file_1 log_file_2

By default, multitail works the same as tail -f . It shows the last 100 lines and then goes in the real time view. By default, it splits the view in rows.

You can press b to open a selector window and select log file of your choice to view it and scroll through it for further and deeper analysis.

Press q to exit from all kind of views in multitail.

You can split the views in columns like this:

multitail -s 2 log_file_1 log_file_2

There is a mandatory space between -s and the number of columns.

Multitail is capable of doing some other things but I won’t go into those details in this tutorial.

So far, you have seen two ways of monitoring log files. There is another but less conventional way of seeing file changes in real life and that is using the less command

Method 3: View log file changes in real time with less command

The less command is more for reading text files without cluttering the screen. It can also be used for reading files with real time changes.

The option +F allows less to follow the changes made to a text file.

It opens the log files with changes being written to it displayed in real time.

Press Ctrl+c to interrupt and q to exit the view.

This method allows you to have a quick view of log changes without cluttering the screen, unlike the tail command.

Conclusion

This method of monitoring log files in Linux works for the traditional text based log files. For the system logs, syslogs are still there but many Linux distributions have switched to journal logs and to view and analyze the journal logs, you have to use journalctl commands.

Apart from that, there are other sophisticated tools like Graylog for log analysis on a deeper level with dashboards and graphs. More on that in some other article.

I hope you learned a couple of new things from this seemingly easy topic on real time log monitoring in Linux. Your feedback is welcome.

Источник

4 Ways to Watch or Monitor Log Files in Real Time

How can I see the content of a log file in real time in Linux? Well there are a lot of utilities out there that can help a user to output the content of a file while the file is changing or continuously updating. Some of the most known and heavily used utility to display a file content in real time in Linux is the tail command (manage files effectively).

1. tail Command – Monitor Logs in Real Time

As said, tail command is the most common solution to display a log file in real time. However, the command to display the file has two versions, as illustrated in the below examples.

In the first example the command tail needs the -f argument to follow the content of a file.

$ sudo tail -f /var/log/apache2/access.log

The second version of the command is actually a command itself: tailf. You won’t need to use the -f switch because the command is built-in with the -f argument.

$ sudo tailf /var/log/apache2/access.log

Usually, the log files are rotated frequently on a Linux server by the logrotate utility. To watch log files that get rotated on a daily base you can use the -F flag to tail command.

The tail -F will keep track if new log file being created and will start following the new file instead of the old file.

$ sudo tail -F /var/log/apache2/access.log

However, by default, tail command will display the last 10 lines of a file. For instance, if you want to watch in real time only the last two lines of the log file, use the -n file combined with the -f flag, as shown in the below example.

$ sudo tail -n2 -f /var/log/apache2/access.log

2. Multitail Command – Monitor Multiple Log Files in Real Time

Another interesting command to display log files in real time is multitail command. The name of the command implies that multitail utility can monitor and keep track of multiple files in real time. Multitail also lets you navigate back and forth in the monitored file.

To install mulitail utility in Debian and RedHat based systems issue the below command.

$ sudo apt install multitail [On Debian & Ubuntu] $ sudo yum install multitail [On RedHat & CentOS] $ sudo dnf install multitail [On Fedora 22+ version]

To display the output of two log file simultaneous, execute the command as shown in the below example.

$ sudo multitail /var/log/apache2/access.log /var/log/apache2/error.log

3. lnav Command – Monitor Multiple Log Files in Real Time

Another interesting command, similar to multitail command is the lnav command. Lnav utility can also watch and follow multiple files and display their content in real time.

To install lnav utility in Debian and RedHat based Linux distributions by issuing the below command.

$ sudo apt install lnav [On Debian & Ubuntu] $ sudo yum install lnav [On RedHat & CentOS] $ sudo dnf install lnav [On Fedora 22+ version]

Watch the content of two log files simultaneously by issuing the command as shown in the below example.

$ sudo lnav /var/log/apache2/access.log /var/log/apache2/error.log

4. less Command – Display Real Time Output of Log Files

Finally, you can display the live output of a file with less command if you type Shift+F .

As with tail utility, pressing Shift+F in a opened file in less will start following the end of the file. Alternatively, you can also start less with less +F flag to enter to live watching of the file.

$ sudo less +F /var/log/apache2/access.log

That’s It! You may read these following articles on Log monitoring and management.

In this article, we showed how to watch data being appended in log files in real-time on the terminal in Linux. You can ask any questions or share your thoughts concerning this guide via the comment form below.

Источник