Sometimes, I need to filter out real-time logs on server which is not taking part of a log aggregation tool, such as Graylog or ELK.
Sometimes it’s also very convenient and quick to run a command and see live what’s going on.
To see any new line added to a log file, you should already know the tail function:
tail -f /var/log/mail.logUnfortunately, you won’t be able to use this command with more that on command chained, for instance:
# The following command will work:
tail -f /var/log/mail.log | grep from=
# The one below won't show you an error, but won't display anything as well:
tail -f /var/log/mail.log | grep from= | grep me@domain.comSome command, like grep, comes with a specific directive that can workaround this issue: –line-buffered
Not all tools have it though, for example, with cut you will have no dice. If only one command you would use is not providing a way to do that, use it at the end.
Let’s make a quick example, if I wan to use two greps command and a cut, I can do:
tail -f /var/log/mail.log | grep --line-buffered from= | grep --line-buffered -v -e "from=<>" -e "root" | cut -d ':' -f 4,5This will show me the 4 and 5 fields of any new line added to mail.log, which contains the expression “from=”, filtering out any empty sender or root (“from=<>” and “root”). So I will get output like that one:
33FEA13B970: from=<user@domain.com>, size=467, nrcpt=1 (queue active)