One of the things that’s nice about Linux or Unix compared to many other operating systems is there’s a good chance a Linux program will spew out informational messages to a log somewhere. Many commands even have a way to turn on more logs. I know that Windows has the event viewer, but many programs don’t have much to say which makes it difficult to know what’s happening when things go wrong.
The problem is, sometimes programs tell you too much information. How do you find what you want to know? It looks cool on a movie where the hacker is in front of a terminal scrolling 500 lines a second of some log file, but in real life, it is hard to read a moving screen, although with some practice you can sometimes — unreliably — pick out a keyword as it whizzes by.
Like most Unix things, there’s a tool for that. In fact, unsurprisingly, there are many tools for that. If you are using the
tail command, that’s certainly one of them. But there are others you should consider.
As an example, consider the mother of all logs:
/var/log/syslog. Go dump that using
less (I always alias
more to use
less on my systems so if you catch me saying
more, I really mean
less). It is probably huge and growing. On a normal desktop system it is usually fairly quiet, but on some older systems or a server, you may see a lot of activity on it. But either way, unless you’ve just booted, you probably have pages of information in there.
Finding information that’s already there is easy enough. Use
grep or load a copy into your favorite editor. The problem is the new information. Plug (or unplug) a USB device into your system. You’ll see that probably adds a message to your syslog file. If you are getting dozens of those kinds of messages all the time, what do you do?
It isn’t just syslog either. The listing file from a long compile might be interesting to peek in on. The status from having a RAID drive rebuilt. There’s always some big growing file you want to read.
The Tail End
The traditional way to do this is with the
tail command. It takes a big file and returns “some” from the end of it. You can add the -f option to make the command wait for more data and output it. Great for a growing file. The -F option is much the same but will keep trying if it can’t open the file. You can control how many lines (-m) to show or bytes (-c). The -s option lets you pick how often it checks to see if the file changed.
Pretty good, right? Try this:
tail -f /var/log/syslog
You’ll see a few lines from the end of your log and now when you plug or unplug your USB device, you’ll see it nearly right away without having to reissue a command.
You probably have done this before. It works fine and is a very common idiom. But there are a few other ways to go that you might not be using.
Less is More
less command has an option +F that turns it into a good replacement for
tail. In fact, if you try it with the command line below you may wonder why it is any different than
less +F /var/log/syslog
Here’s what that looks like on my system:
See how at the end it says “Waiting for data…”? Right now it is acting almost the same as
tail. But if you press ^C something interesting happens. Well… maybe something happens. Try pressing ^C. If
less goes to command mode, you are fine. Now you can do all the things you normally would do while viewing something with
less. But if you exit
less, then your Linux distribution is helping you by setting some default options on less using the
LESS environment variable. Try this:
set | grep LESS
If you see an option string including
--quit-on-intr that’s your problem. It needs to go. Then you can switch back to command mode using ^C. That does mean you need to remember to use the q command to exit
less. If you exit this mode and want to get back just press F.
If you are in normal
less mode (that is, you didn’t use +F to start with), you can press F to start this “tail mode.” Even more interesting, you can search for something, press ESC-F and the mode will stop with a bell when your search matches something coming in.
You can also add
--follow-name to get the same behavior as
tail‘s -F option.
Sometimes a file you want to see isn’t adding new data but is changing every so often. For example, consider
/proc/loadavg or many other
/proc entries. Using
less on these isn’t very satisfying. However, there’s the
watch -n 5 cat /proc/loadavg
This executes the
cat command on the file every 5 seconds and shows the results nicely, as you can see. There are lots of good options such as -d to highlight differences or -p to use a high-resolution timer. The -c option makes things work with colors.
Your editor might have a tail mode. For
emacs, there are several ways to do it and instead of telling you about them, I’ll point you to a great write up. I’m not a vim expert, but it looks like you need a plugin to do the same thing there. If there’s a better way, I’m sure we’ll hear about it in the comments.
If you are a hardcore log reader, you might want a tool like inav that is specifically made to view logs. KDE and Gnome both have dedicated log viewers, as well.
As usual in Linux or Unix, there are dozens of ways to do just about anything. Which one is “best?” Everyone will have their own opinion and that’s what makes it an attractive operating system for power users. You get to pick what works best for you.
If you are using Linux on the desktop, on a server, or on a Raspberry Pi, these are a few commands you’ll want to have in your toolbox. Be sure to take a look at all the Linux Fu posts (see below) to find out about other tools we’ve covered in the past.