Excellent Console Log File Analyzers

Almost everything that happens on a Linux system is logged in some way. These log files are typically stored plain ASCII text in a standard log file format, although they can be in binary format. Most logs are stored in the traditional system log subdirectory /var/log. Logs keep track of events, such as system errors, user activities, and transaction histories. These log files are everywhere.

Applications capture an enormous amount of information to log files, especially as a server may generate multiple logs. It is important to review log files to obtain feedback about the activity and performance of the server, and to identify hints to solve any problems that may arise. Logs are essential for system auditing, debugging and maintenance.

We can use the tail utility to monitor a log file. But it’s often not that effective. An administrator of a system can suffer from information overload. Reviewing the log files in an efficient way can be a very time consuming task. There’s a need for an alternative.

Linux has a good range of logging tools, although many are designed for large-scale deployments. They need to be installed and configured for servers. Instead of a belt and braces approach, there’s still a need for a good log file analyzer for the terminal.

The software featured in this article are all released under an open source license, and offer a lot more functionality than tail.


MultiTail

MultiTail in action

MultiTail is an excellent open source tool that lets you view one or multiple files like the original tail program. The tool started as an attempt to provide a program which would display two log files in a split screen. It was originally a clone of wtail.

The difference is that this program creates multiple windows on your console (with ncurses). It can also use colors while displaying the logfiles for faster recognizing which lines are important and which are not.

The application is optimized for terminal-sessions through slow links.

Features include:

  • Multiple input sources
  • Monitor wildcards – if another file matching the wildcard has a more recent modification date, it will automatically switch to that file. This allows monitoring a complete directory of files
  • Merge 2 or more log files
  • Use colours while displaying the logfiles (using regular expressions)
    • Selections with regular expressions
    • Selection on field-number/string offset
    • Color schemes can be defined in a configuration file.
    • Default color scheme for certain files can be selected in the configurationfile (using regular expressions (NOT wildcards!))
    • External scripts can be used to determine what colors to use where in the logged lines
    • Use of colors can be switched off
  • Line filtering (through regular expressions)
  • Interactive menus for editing regular expressions and adding windows
  • Mimicking the functionality of tools such as watch when viewing the output of external software

lnav

LNAV in action

lnav is the logfile navigator, an open source curses-based tool for viewing and analyzing log files.

It looks for any semantic information gleaned from the files being reviewed such as timestamps and log levels. lnav can do things like interleaving messages from different files, generate histograms of messages over time, and providing hotkeys for navigating through the file. It understands and analyzes /var/log/syslog, Apache access logs, Strace, and other protocols that include timestamps.

The tool color highlights important information. For example, it marks warnings in yellow and errors in red. lnav can help highlight the parts that are important and filter out the noise.

Features include:

  • Support for the following log file formats: – Common Web Access Log format, CUPS page_log, Syslog, Glog, VMware ESXi/vCenter Logs, dpkg.log, uwsgi, “Generic” – any message that starts with a timestamp, Strace, SnapLogic Server Log, Fsck_hfs, OpenAM, and more
  • Pretty-Print View – reformats structured data, like XML or JSON, so that it is easier to read
  • Histogram view – displays the number of log messages per bucket-of-time
  • Filters – display only lines that match or do not match a set of regular expressions
  • “Live” operation – searches are done as you type; new log lines are automatically loaded and searched as they are added; filters apply to lines as they are loaded; and, SQL queries are checked for correctness as you type
  • Automatic tailing – the log file view automatically scrolls down to follow new lines that are added to files. Simply scroll up to lock the view in place and then scroll down to the bottom to resume tailing
  • Time-of-day ordering of lines – log lines from all the files are loaded and then sorted by time-of-day. Relieves you of having to manually line up log messages from different files
  • Syntax highlighting – errors and warnings are colored in red and yellow, respectively. Highlights are also applied to: SQL keywords, XML tags, file and line numbers in Java backtraces, and quoted strings
  • Navigation – use hotkeys for jumping to the next or previous error or warning and moving forward or backward by an amount of time. Hotkeys provide spatial navigation, chronological navigation, bookmarks, display, and query
  • Query Logs Using SQL – log files are directly used as the backing for SQLite virtual tables. There are several built-in extensions that provide extra functions and collators beyond those provided by SQLite
  • Command and search history
  • Compressed files are automatically detected and uncompressed on the fly
  • Session information is stored automatically for the set of files that were passed in on the command-line and reloaded the next time lnav is executed
  • Website: lnav.org
  • Developer: Tim Stack and contributors
  • License: GNU GPL v3
  • Version Number: 0.7.3

Swatch

Swatch (Simple Log Watcher) is designed to monitor system activity. Swatch started out as the “simple watchdog” for actively monitoring log files produced by UNIX’s syslog facility. It has since evolved into a handy utility that can monitor just about any type of log.

A typical action is echoing the matched line in a variety of colours and formats including reverse video, bold, underline, and normal, which swatch knows how to do internally. Other actions include sending mail or executing an arbitrary program on the line.

Swatch is written in Perl and uses Perl regular expressions for line matching. In order for Swatch to be useful, it requires a configuration file which contains pattern(s) to look for and action(s) to perform when each pattern is found.

Features include:

  • Simple to configure
  • Regular expression matching
  • Highlighting
  • Hooks
  • Send e-mails based on matching log strings
  • Execute in the background

Leave a Reply