tail -f:实时跟踪日志文件变化
tail -f /var/log/application.log
grep:实时过滤关键信息
tail -f /var/log/nginx/access.log | grep "404"
awk:实时提取和格式化数据
tail -f /var/log/auth.log | awk '/Failed password/ {print $1,$2,$3,$9,$11}'
multitail:多窗口日志监控
multitail -cS apache /var/log/apache2/access.log -cS syslog /var/log/syslog
lnav:日志文件导航器
lnav /var/log/application.log
jq:处理JSON格式日志
tail -f /var/log/app.json | jq '.'
配置示例:
# Logstash配置示例
input {
file {
path => "/var/log/nginx/access.log"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
}
轻量级日志收集器配置:
<source>
@type tail
path /var/log/app.log
pos_file /var/log/app.log.pos
tag app
format none
</source>
<match app>
@type elasticsearch
host localhost
port 9200
logstash_format true
</match>
tail -f /var/log/app.log | awk '/ERROR/ {system("notify-send \"Error detected\" \" "$0 "\"")}'
tail -f /var/log/auth.log | awk '/Failed password/ {print $11}' | sort | uniq -c | sort -nr
#!/bin/bash
tail -fn0 /var/log/app.log | \
while read line ; do
echo "$line" | grep -q "CRITICAL"
if [ $? = 0 ]
then
echo "$line" | mail -s "CRITICAL ERROR DETECTED" admin@example.com
fi
done
使用更高效的工具:
ag(The Silver Searcher)替代grep提高搜索速度ripgrep(rg)处理大型日志文件日志轮转策略:
logrotate防止日志文件过大/var/log/app.log {
daily
rotate 7
compress
delaycompress
missingok
notifempty
}
内存缓存:
tail -f /var/log/large.log | stdbuf -oL grep "pattern" > output.txt
日志文件权限:
chmod 640 /var/log/app.log
chown root:adm /var/log/app.log
敏感信息过滤:
tail -f /var/log/app.log | sed 's/\(password\)=\([^&]*\)/\1=******/g'
加密传输:
ssh user@remote-host "tail -f /var/log/remote.log" | grep "error"
Grafana实时仪表盘
Kibana Discover
自定义终端仪表盘
watch -n 1 "tail -n 20 /var/log/app.log | grep --color=always 'ERROR\|WARN'"
通过以上方法和工具的组合,可以构建一个高效、实时的Linux应用日志分析系统,满足从简单监控到复杂分析的各种需求。