First, you get the error because you are using a text editor for this. This means that every time you open the file, edit and save it, the original is overwritten with the new contents. Whether you added a single line to the end or 100 lines all over the place is irrelevant, the point is that the file is being opened, edited and saved and that overwrites the contents.
For example, compare your workflow to running this:
for((i=0;i<20;i++)); do echo $i >> file.txt; sleep 1; done
That will write a number to file.txt
every second for twenty seconds. If you open another terminal and run tail -fn 0 file.txt
, you will see the output you expect.
So, to get the desired behavior add the text to the file using >>
from a terminal instead of manually editing it.
More details
nano
seems to be the odd one out here. Most editors when opening a file then saving it will actually delete the original file and save a new one with the same name. You can test this by checking the inode number of the file:
$ ls -il file.txt
16647801 -rw-r--r-- 1 terdon terdon 9 Apr 6 18:19 file.txt
Files are simply hardlinks to specific inodes, in this case, file.txt
points to inode 16647801
. Now, open the file in gedit
, add a line and check the inode again:
$ gedit file.txt
$ ls -il file.txt
16647854 -rw-r--r-- 1 terdon terdon 13 Apr 6 18:23 file.txt
As you see, the inode number has changed, in other words, the original file was removed and a new one was created. nano
does not do that, trying the same thing with nano
does not change the inode. It does, however, delete the original contents overwriting them with the new contents. That's why tail
actually shows the output, if you try it and edit the file with gedit
(or emacs
or a number of other editors), the extra lines you add won't be shown in the output of tail
at all.
Well, your pasted data has all some useful info: COMMAND=/usr/bin/env -u LANGUAGE LC_MESSAGES=C /bin/sh /tmp/tmpBHXhYV/:script:
So env was called to execute ~/tmp/tmpBHXhYV/:script:` with sh. If that file is still there, it might help you. It was not called from a TTY, so probably from within another running application.
Best Answer
Let's say your log have the following structure:
We can get all lines from the first occurrence of
05/Mar/2020:11
to the end$
of the file by usingsed
in the following way:The option
-n
will suppress the normal output ofsed
, but the flagp
will print the matched part of the file.Note, if there isn't presented any record that mach to
05/Mar/2020:11
,sed
wont provide any output.We can automate the above by the help of the commands
date
andeval
:sed
with double quote marks and variable within the expression doesn't provide the desired output in this case.eval
.LANG=C
(LANG=en_us_88591
) stands in order to get the desired date format, because, for example, in my case the default value of this envvar isbg_BG.UTF-8
.You can create a script, based on the two lines above - examples of such script:
apache2 : How to search a string from apache2 error logs in specific time range?
modsecurity-whitelist-rule-generator.bash
- that parse events within ModSecutity'smodsec_audit.log
by their unique-id, and then generates whitelist rules for ModSecutity.