How to watch or monitor log files in Debian 10

What are Linux log files?

Log files are simply plain text files that contain the set of records, events, or messages about the server, applications, and services running on your Linux operating system. They are used by system administrators for troubleshooting purposes whenever an issue arises.

In Linux, the log files are generally categorized into the following.

• Application logs
• Event logs
• Service logs
• System logs

There is a lot of log files in Linux and they are located at /var/log/ directory. Monitoring all of them is a tedious task. However, the following critical files must be monitored.

• /var/log/syslog
• /var/log/messages
• /var/log/auth.log
• /var/log/secure
• /var/log/boot.log
• /var/log/dmesg
• /var/log/kern.log
• /var/log/faillog
• /var/log/cron
• /var/log/mail.log
• /var/log/apache2/error.log
• /var/log/mysql.log

In this article, we are going to explore various methods that can be used to view or monitor log files in real-time. We have executed all the commands on Debian 10.

Prerequisites

You need to have the following for this tutorial,

• A user account with root privileges

Viewing log files

Using tail command

The tail is one of the widely used commands for viewing a log. It prints the last few lines of the log file on a console, by default 10 lines.

The general syntax of the command is as follows.

tail <path of log file>

For example,

tail /var/log/syslog

Below is the sample output showing the last 10 lines of a syslog file.

However, if you want to view the specific lines of the end of the log file say 5 lines, you can use the -n option as follows.

tail -n 5 /var/log/syslog

Below is the sample output.

If you want to follow a log file and want to print the new messages as it is logged in real-time, you can use the -f option along with the above example of commands.

tail -f -n 5 /var/log/syslog

As soon as a new line is added to the log file, it gets printed along with its 4 above lines.

If you want to close the terminal, press ctrl + c from the keyboard.

Using multitail command

With the help of multitail command, you can monitor and view the content of multiple log files in real-time on a console in single window. The multitail command doesn't come built-in Debian 10. Therefore, open up the terminal and issue the following command with root privileges to install it.

apt-get install multitail

Below is the sample output.

The general syntax of multitail command is as follows,

multitail filename 1 filename 2

Suppose you have two log files /var/log/syslog and /var/log/kern.log and you want to view their contents on the console using multitail, the complete command should look like the following.

multitail /var/log/syslog /var/log/kern.log

Below is the sample output.

You can monitor the contents of multiple log files in real-time with the help of this command. For instance, the below screenshot shows the content of four log files /var/log/syslog, /var/log/kern.log, /var/log/daemon.log and var/log/messages.

By default, multitail command shows the contents of log files horizontally. If you want to view the files vertically in columns, you can use the -s switches as follows.

Suppose you want to view the contents of log files vertically in two columns, the complete command should look like the following.

multitail -s 2 /var/log/syslog, /var/log/kern.log, /var/log/daemon.log and var/log/messages

Below is the sample output.

You can also navigate through the files. Press 'b' from the keyboard and scroll through to choose your desired log file. You can view the last 100 lines of your chosen file.

Below are the sample outputs.

Press Ctrl + g to abort and return to multiple log files window.

You can also give different colors to log files using the ci parameter so that you can easily differentiate between them. Following is a good example,

multitail -ci green /var/log/syslog -ci blue /var/log/messages

Below is the sample output.

Multitail command offers a lot. Press ' h' from the keyboard for help while the command is running.

Using lnav command

The lnav command is similar to  multitail command and shows the content of multiple log files in a single window. To install it on Debian, open up the terminal and issue the following command with root privileges.

apt-get update lnav

Press 'y' from the keyboard when prompted. Wait for the command to finish.

Unlike multitail or other commands, the lnav command merges the content of log files and shows each line based on their date in a single window.

Below is the sample file. You can scroll through the window using up, down, etc keys of your keyboard.

The general syntax of the command is as follows,

lnav <name and path of file 1> <name and path of file 2>

Suppose, you want to view the log of syslog and daemon.log. Execute the following command on terminal.

lnav /var/log/syslog /var/log/messages

Below is the sample output.

If you do not specify the file with the command, by default it opens the syslog file.

Execute the following command.

lnav

Below is the sample output.

You can also search through the log by pressing / from your keyboard when a command is running. After pressing the / key, type your desired string you want to search and hit Enter key from the keyboard.

Suppose I am searching the string 'DHCPACK' and it is highlighted in the window.

Below is the sample output.

You can also view the compressed log files (zip, gzip, bzip) by using -r option. Below is the complete syntax.

lnav -r <zip file name>

Using less command

Less is another command which is used to monitor the output of a log file.

Below is the complete syntax of the command.

less +F <path of file>

For example, if you want to monitor the syslog file at the path /var/log/syslog, the complete command should look like the following.

less +F /var/log/syslog

Below is the sample output.