3 ways to view logs in real time in Linux
We all should know how to view files in Linux, such as using cat or less commands.
This is OK for viewing static files. Log files are dynamic and their contents will change at any time. To monitor log files, you need to see them in real time when the content of the log file changes.
So how to view log files in real time? The tail command is OK, and in addition to this, there are some other tools. This article will introduce these tools that can view log files in real time.
1. Use the tail command to view the log file
The tail command is widely used, so system administrators often use the mantra tail the log file (ie tail log file).
In most cases, the tail command is used to view the content at the end of the file, so it is named tail.
Use the -f option to track the content at the end of the file, which means it will continue to display the content newly added to the file.
tail -f location_of_log_file
To stop tracing log files, you can use the ctrl +c shortcut key.
tail and grep
As mentioned above, the tail command can view changes in file content in real time. However, when the file content is updated very quickly, the content that has just been updated flashes by, so in this case, it is not so convenient to view.
For example, when we track log files, we often monitor a specific term (string) and track it in a large amount of content that is quickly updated, which is very inconvenient.
To solve this problem, we can use tail and grep commands in combination. As shown below:
tail -f log_file | grep search_term
On this basis, let’s make some improvements.
Use grep to display search terms, and the information displayed is relatively limited. It only displays the search results. Therefore, we often use the -C option to display the first and last lines of the search results:
tail -f log_file | grep -C 3 search_term
In this way, we can see the first and last lines of information related to the search results, which can better track log information.
Want to improve some more? You can use grep for multiple search terms and then case-insensitive:
tail -f log_file | grep -C 3 -i - E 'search_term_1|search_term_2'
Use log rotation to track logs
For most enterprise servers, logs will rotate, that is, when the log file reaches a certain size, it will be renamed and compressed.
If you keep track of log files in real time, problems can arise. By default, the tail command is used for file descriptors. If the current log file is rotated, the tail command will now point to an archive log file, which will not now log any changes.
The solution is to track the log file by its name. This way, even if a log rotation occurs, the tail will point to the current log file (because its name has never changed).
tail --follow=name log_file | grep -C 3 -i - E 'search_term_1|search_term_2'
tail is ideal for real-time monitoring of log files, but the above method monitors only one log file. What should I do if I want to monitor multiple log files? Please see the next section.
Use tail to view multiple log files
Working in Linux systems, you can use the tail command to monitor multiple log files at the same time, just provide the file path:
tail -f log_file_1 -f log_file_2
With the above command, you will see the update of the log file in real time and will be preceded by the file name to distinguish different log files.
In addition to the above method, there is another more convenient way, which is to use a tool called multitail.
2. Use multitail to monitor multiple log files at the same time
As the name implies, multitail is used to display multiple files simultaneously.
Since tail can monitor multiple files at the same time, what is special about multitail?
The advantage of multitail is that it can display files in split views, and even different files in different rows and columns.
tail shows everything in the same view, so it is sometimes difficult to track, multitail overcomes this by providing a split view similar to the screen command.
Note that multitail is not installed by default in most Linux systems, so it needs to be installed manually before use.
Following the multitail command and file path, it is best not to exceed 3 at a time, because more than 3 or more will be difficult to track.
multitail log_file_1 log_file_2
By default, multitail works the same way as tail -f , which displays the last 100 rows and then goes into the live monitoring view; additionally, it splits the view by rows.
You can press b to open a file selection window and select a log file to view for further analysis.
To split the view, use the -s option, followed by a number, that is, the number of views:
multitail -s 2 log_file_1 log_file_2
Press the q key to exit all views of multitail.
There are many things that can be done by multitail. If you are interested, you can check its official documents. I won’t continue to introduce it in this article.
3. Use the less command to view the log file in real time
The less command is mostly used to read text files, and can also be used to read files that have been changed in real time.
Option +F can track file changes in real time:
less +F log_file
The above command will open the log file and display the changes being written in real time.
Press ctrl +c to interrupt the display, press q to exit the view.
Unlike the tail command, this method allows us to quickly view log changes without messing up the screen.
The above method of monitoring logs is suitable for traditional text-based log files. For system logs, syslogs can be used, but many Linux distributions have started to use journal logs to view and analyze logs, so the journalctl command is required.
This is the end of this article about three ways to view logs in real time in Linux. For more related Linux real-time log content, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!