log commands

Less, more and zmore

# less /var/log/syslog

less opens the syslog log file at the top. Use the arrow keys to scroll down one line at a time, the space bar to scroll down one page at a time, or the mouse wheel to scroll through the file. Use the [Shift]+[g] combination to immediately go to the end of the log file.

Grep and zgrep

# grep "user@whateverdomain.tld" /var/log/mail.log > /tmp/result.txt

zgrep is useful for compressed files:

# zgrep -i Error *.gz

Tail

tail prints the last part of files to output, for example the last 10 lines with the -n option. Adding the -f option will continue watching the log file and print out the next line written to the file. As soon as a new line is written to syslog, it removes the oldest.

# tail -f -n 10 /var/log/syslog

Escape it with the [Ctrl]+[x] key combination.

Last and lastb

The last command reads from the system file called /var/log/wtmp or the file designated by the -f option. Names of users and tty’s can be given, in which case last will show only those entries matching the arguments. Names of tty’s can be abbreviated, thus last 0 is the same as last tty0.

When last catches a process signal like SIGINT (generated by the interrupt key, usually control-C) or a SIGQUIT (generated by the quit key, usually control-\), last will show how far it has searched through the file; in the case of the SIGINT signal, last will then terminate.

For the login history of sysadmin:

# last | grep sysadmin

To find out when the system was last rebooted:

# last reboot

lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts.

dmesg

dmesg displays by default all messages from the kernel ring buffer. Use the scroll wheel to browse through the buffer or pipe the output of dmesg to the less command. For example, to print the log entries for the user facility:

# dmesg --facility=user | less