Log File Navigator

Charly's Column – lnav

Article from Issue 223/2019
Author(s):

During a long trek through the verbose syslog, really important warnings and errors are scattered along the path. Sometimes a missing message can be the decisive event. Sys admin columnist Charly has now hired a tracker to help him search for clues: Log File Navigator.

Searching in logfiles is the sys admin's bread and butter. Finding a specific piece of information often requires long cascades of grep commands. What makes this even more difficult is if a log message that I expect every five minutes is delayed. Of course, this is a warning signal, but I can't use grep to figure this out. What can draw my attention to the fact that warning messages are piling up? These difficulties prompted me to onboard Log File Navigator (lnav, [1] ).

If you launch lnav without any options, it opens /var/log/syslog (Figure 1). Using:

lnav /var/log/syslog*
Figure 1: lnav not only displays logs, but also waits for keystrokes.

makes more sense, because it then includes older syslog files – whether compressed or not. lnav bears the name "Navigator," because it makes it easy to walk through the logfiles in small steps or giant leaps. For example, Shift+D beams you back 24 hours into the past, and pressing D without Shift takes you back to the present. Shift+1 lets you jump back to 10 minutes after the last full hour, while Shift+2 jumps back to 20 minutes after the last full hour, and so on. Shift+G always takes you to the end of the log.

Searching is easy, too. You simply type / followed by a search term. Besides strings, lnav also accepts regular expressions, which makes complex and fuzzy searches possible. N and Shift+N let you jump between the hits. A search function using SQL syntax is currently still experimental.

W and Shift+W jump to the next/previous warning, while E and Shift+E jump to errors. Great stuff: S and Shift+S navigate to events that are out of sync – such as delayed events.

lnav keeps statistics in the background. The History view (Figure 2) proves to be practical. It displays a graph showing the number of messages received and the proportion of warnings and errors. In the screenshot, the entries are totaled in 10-minute blocks. Z and Shift+Z let you zoom in and out of the time periods.

Figure 2: History view: lnav records the messages as totals – of 10 minutes duration in this case.

Once you have familiarized yourself with the keyboard shortcuts, working with lnav will be as easy as pie for you. I only mentioned what are the most important shortcuts for me here; the complete list is available under "Hotkey Reference" on [2]. If I could wish for something in a future version, it would be more color schemes. I like to work with dark screens, but some color-highlighted areas in the log are not easy to read.

The Author

Charly Kühnast manages Unix systems in the data center in the Lower Rhine region of Germany. His responsibilities include ensuring the security and availability of firewalls and the DMZ.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tool Tips

    Six Linux tools reviewed: FISH 2.0.0, BAD 0.0.2, BLINK, FPING 3.5, LNAV 0.5.0, TOMB 1.4

  • Tempus Fugit

    Charly Kühnast, sys admin columnist for 15 years, is searching for lost microseconds.

  • Charly's Column

    Using SQL to sift syslog data out of a database is an admittedly universal, but also fairly convoluted approach. phpLogCon, with its web interface, gives admins an easier option.

  • Glogg

    Programmers and Linux administrators appreciate the benefits of event logs. The Glogg tool is the perfect choice for searching even large logfiles.

  • Charly's Column: Terminator

    Friends are all about friendship – names and appearances typically don’t play any role at all. Sys admin Charly’s friend the Terminator is a convincing example.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News