Charly's Column – lnav

Searching in logfiles is the sys admin's bread and butter. Finding a specific piece of information often requires long cascades of grep commands. What makes this even more difficult is if a log message that I expect every five minutes is delayed. Of course, this is a warning signal, but I can't use grep to figure this out. What can draw my attention to the fact that warning messages are piling up? These difficulties prompted me to onboard Log File Navigator (lnav, [1] ).

If you launch lnav without any options, it opens /var/log/syslog (Figure 1). Using:

lnav /var/log/syslog*

Figure 1: lnav not only displays logs, but also waits for keystrokes.

makes more sense, because it then includes older syslog files – whether compressed or not. lnav bears the name "Navigator," because it makes it easy to walk through the logfiles in small steps or giant leaps. For example, Shift+D beams you back 24 hours into the past, and pressing D without Shift takes you back to the present. Shift+1 lets you jump back to 10 minutes after the last full hour, while Shift+2 jumps back to 20 minutes after the last full hour, and so on. Shift+G always takes you to the end of the log.

Searching is easy, too. You simply type / followed by a search term. Besides strings, lnav also accepts regular expressions, which makes complex and fuzzy searches possible. N and Shift+N let you jump between the hits. A search function using SQL syntax is currently still experimental.

W and Shift+W jump to the next/previous warning, while E and Shift+E jump to errors. Great stuff: S and Shift+S navigate to events that are out of sync – such as delayed events.

lnav keeps statistics in the background. The History view (Figure 2) proves to be practical. It displays a graph showing the number of messages received and the proportion of warnings and errors. In the screenshot, the entries are totaled in 10-minute blocks. Z and Shift+Z let you zoom in and out of the time periods.

Figure 2: History view: lnav records the messages as totals – of 10 minutes duration in this case.

Once you have familiarized yourself with the keyboard shortcuts, working with lnav will be as easy as pie for you. I only mentioned what are the most important shortcuts for me here; the complete list is available under "Hotkey Reference" on [2]. If I could wish for something in a future version, it would be more color schemes. I like to work with dark screens, but some color-highlighted areas in the log are not easy to read.