I. Introduction
We all should know how to view files in Linux, such as using cat or less command.
This is okay for viewing static files; log files are dynamic, and their content changes at any time. To monitor log files, you need to be able to see them in real time when the contents of log files change.
2. Common log view
So how to view log files in real time? The tail command is available. In addition, there are other tools. This article will introduce these tools that can view log files in real time.
1. Use the tail command to view the log file
The tail command is so widely used that sysadmins often use the mantra tail the log file (ie: tail the log file).
Most of the time, the tail command is used to see what is at the end of a file, hence the name tail.
Use the -f option to keep track of the end of the file, which means it will keep showing new additions to the file.
tail -f location_of_log_file
To stop following the log file, you can use the ctrl +c shortcut.
tail and grep
As mentioned above, the tail command can view changes in the content of files in real time. However, when the content of the file is updated very quickly, the newly updated content flashes by. In this case, it is not so convenient to view.
For example, when we track log files, we often monitor a specific term (string), which is very inconvenient to track in a large amount of content that is updated quickly.
To solve this problem, we can combine the tail and grep commands. As follows:
tail -f log_file | grep search_term
Use grep to display search terms, the displayed information is relatively limited, it only displays the search results, so we often use the -C option to display the first and last lines of the search results:
tail -f log_file | grep -C 3 search_term
In this way, we can see the previous and subsequent lines of information related to the retrieval results, which can better track the log information.
Still want to improve some more? You can use grep for multiple search terms, then case insensitive:
tail -f log_file | grep -C 3 -i - E 'search_term_1|search_term_2'
Track logs using log rotation (log rotation)
Most enterprise servers, the log will be rotated (rotation), that is, when the log file reaches a certain size, it will be renamed and compressed.
Problems arise if log files are tracked in real time. By default, the tail command works on file descriptors. If the current log file is rotated, the tail command will now point to an archived log file, which will now not log any changes.
The solution is to track log files by their name. This way, even if log rotation occurs, tail will point to the current log file (since its name never changed).
tail --follow=name log_file | grep -C 3 -i - E 'search_term_1|search_term_2'
tail is great for monitoring log files in real time, but the above method only monitors one log file. What if you want to monitor multiple log files?
Use tail to view multiple log files
Working in a Linux system, you can use the tail command to monitor multiple log files at the same time, just provide the path of the file:
tail -f log_file_1 -f log_file_2
With the above command, you will see the update of the log file in real time, and there will be a file name in front to distinguish different log files: In
addition to the above method, there is another more convenient way, which is to use a multitail Tool of.
2. Use multitail to monitor multiple log files at the same time
As the name suggests, multitail is used to display multiple files at the same time.
Since tail can monitor multiple files at the same time, what's so special about multitail?
The beauty of multitail is that it can display files in split view, and even display different files in different rows and columns.
tail displays everything in the same view, so it can sometimes be difficult to keep track of, multitail overcomes this difficulty by providing a split view similar to the screen command.
Note that multitail is not installed by default in most Linux systems, so you need to install it manually before using it.
Follow the multitail command with the file path. It is best not to exceed 3 at a time, because if there are more than 3 or more, it will be more difficult to track.
multitail log_file_1 log_file_2
By default, multitail works the same way as tail -f, it displays the last 100 lines and then goes into a live watch view; additionally, it splits the view by line.
You can press the b key to open a file selection window and select a log file to view for further analysis.
To split a view use the -s option followed by a number, the number of views:
multitail -s 2 log_file_1 log_file_2
Press q to exit all views of multitail.
There are still many things that multitail can do. If you are interested, you can check its official documentation. This article will not continue to introduce it.
3. Use the less command to view log files in real time
The less command is mostly used to read text files, and can also be used to read files that are changed in real time.
Option+F tracks file changes in real time:
less +F log_file
The above command opens the log file and displays the changes being written in real time.
Press ctrl +c to interrupt the display, and press q to exit the view.
Unlike the tail command, this method allows us to quickly view changes in the log without cluttering the screen.
The methods described above for monitoring logs apply to traditional text-based log files.
3. View the system log journalctl command
For system logs, you can use syslogs, but now many Linux distributions have started to use journal logs to view and analyze logs, so you need to use the journalctl command.
Journalctl can view all system log files. Due to the large amount of log information, journalctl also provides various parameters to help users locate log information more quickly.
By default, users can access their own logs. For the main system log and other user logs, access is limited to authorized users, such as root user, users of wheel group and systemd group.
If the log is relatively long, we can view it through the up, down, left, and right keyboard keys.
journalctl
Without parameters, journalctl will display all the information. (from old to new)
The journalctl -r
-r parameter indicates reverse order output, (from new to old)
journalctl -f
To use journalctl to track log files (read the latest entries), just add the parameter "-f" after the command. The latest log will be output in real time
journalctl -n number
Specify the size of the output display
We can specify the number of lines displayed by the -n or --lines= parameter.
Display the event log of the specified time
journalctl can display the event log that occurred during the specified time period.
This is achieved through the since and until parameters. The format of the date is "YYYY-MM-DD HH:MM:SS",
for example: journalctl --since 1 hour ago , view the log from 1 hour ago to the present
journalctl --since "2016-08-04 20:00:00 " --until "2016-08-04 20:15:00" Check the log on the evening of August 4
**View the logs of some services: journalctl -u ***.service
journalctl -u httpd.service View the logs of web services
journalctl -u httpd.service -u crond.service
Display system log information
The commands "journalctl -k" and "journalctl --dmesg" are used to display the system's kernel log information.