π Log Analysis Mastery: The Ultimate Cheat Sheet
Command
Description
Example
catπ Display entire log file
cat /var/log/syslog
lessπ View log file with pagination
less /var/log/auth.log
tailπ View end of log file
tail /var/log/apache2/access.log
headπ View beginning of log file
head /var/log/mysql/error.log
tail -fπ Follow log file in real-time
tail -f /var/log/syslog
π Searching and Filtering
Command
Description
Example
grepπ Search for patterns in logs
grep "error" /var/log/syslog
egrep㪠Extended grep (supports regex)
egrep "error|warning" /var/log/syslog
fgrepπ Fast grep (literal strings only)
fgrep "literal string" /var/log/syslog
zgrepποΈ Search compressed log files
zgrep "error" /var/log/syslog.1.gz
sedπ Stream editor for filtering/transforming
sed -n '/error/p' /var/log/syslog
awkπ§ Pattern scanning and processing
awk '/error/ {print $0}' /var/log/syslog
Tool
Description
Example
logwatchπ Summarize log files
logwatch --detail high
goaccessπ Real-time web log analyzer
goaccess /var/log/apache2/access.log
lnavπ Log file navigator
lnav /var/log/syslog
multitailπ Monitor multiple log files
multitail /var/log/syslog /var/log/auth.log
journalctlπ Query systemd journal
journalctl -u nginx.service
π°οΈ Time-based Log Analysis
Command
Description
Example
date -dπ
Convert log timestamps
date -d "2023-05-01 14:30:00" +%s
awk with timeβ±οΈ Filter logs by time
awk '$1$2 >= "2023-05-01 14:30:00" && $1$2 < "2023-05-01 15:00:00"' /var/log/syslog
sed with timeπ°οΈ Extract time range
sed -n '/2023-05-01 14:30:00/,/2023-05-01 15:00:00/p' /var/log/syslog
Command
Description
Example
wc -lπ’ Count log entries
wc -l /var/log/auth.log
sort | uniq -cπ Count unique entries
cat /var/log/auth.log | sort | uniq -c | sort -nr
cut -d' ' -f4 | sort | uniq -cπ Count events by field
cat /var/log/auth.log | cut -d' ' -f4 | sort | uniq -c | sort -nr
Command
Description
Example
logrotateπ Rotate, compress, and mail logs
logrotate /etc/logrotate.conf
ls -lth /var/logπ List log files by modification time
ls -lth /var/log | head
Command
Description
Example
sudoπ Run commands with superuser privileges
sudo tail /var/log/auth.log
zcatποΈ View compressed log files
zcat /var/log/syslog.2.gz
zlessπ View compressed logs with pagination
zless /var/log/syslog.2.gz
Technique
Description
Example
Combining tools
π Use pipes to combine commands
grep "error" /var/log/syslog | awk '{print $1, $2, $3}'
Regular expressions
π¬ Use regex for complex pattern matching
grep -E "error|warning" /var/log/syslog
Log parsing scripts
π Write custom scripts for log analysis
#!/bin/bash\ngrep "error" $1 | awk '{print $1, $2}'
π Always check log locations in /etc/rsyslog.conf or /etc/syslog-conf
π Use grep -v to exclude patterns from your search
π’ Use sed -n '10,20p' to view specific line ranges in a log file
π Combine sort, uniq, and cut for powerful log analysis
π Remember to use sudo when accessing system logs
ποΈ Use zgrep, zcat, and zless for compressed logs
π Set up log rotation to manage log file sizes
π Use watch command to repeatedly run log analysis commands
π°οΈ Convert timestamps to epoch time for easier comparison
π§ Learn awk for powerful text processing in logs
π Example: Complex Log Analysis #! /bin/bash# Count HTTP status codes in Apache access logecho " HTTP Status Code Distribution:" ' {print $9}' | sort | uniq -c | sort -rn
# Find top 10 IP addressesecho -e " \nTop 10 IP Addresses:" ' {print $1}' | sort | uniq -c | sort -rn | head -n 10
# Count errors in syslog for the last hourecho -e " \nErrors in syslog (last hour):" $( date -d ' 1 hour ago' ' +%Y-%m-%d %H:%M:%S' ) ' $0 > date && /error/' | wc -l
# Find failed SSH login attemptsecho -e " \nFailed SSH Login Attempts:" " Failed password" | awk ' {print $11}' | sort | uniq -c | sort -nr
# Monitor real-time error rateecho -e " \nReal-time Error Rate (Ctrl+C to stop):" | grep --line-buffered " error" | awk ' {print $1, $2, $3}' |
while read date ; do
echo " $( date) " ;
done | uniq -cRemember, log analysis is crucial for system administration and security. Always handle logs securely and respect privacy concerns! ππ
