Ubuntu – Tail the “in the last hour written lines from a log file” is it possible

command linelog

I am trying to grep looking for a pattern in to a log file, but I need the last hour of the log file. A tail -n XX will not work. Does anybody know if this is possible? Some kind of tail the "in the last hour written lines from a log file"

If there is any command or procedure I appreciate that.

Thanks a lot

Best Answer

Let's say your log have the following structure:

219.369.42.449 - - [05/Mar/2020:11:05:17 +0200] "log line"
219.369.42.449 - - [05/Mar/2020:11:06:37 +0200] "log line"
219.369.42.449 - - [05/Mar/2020:12:01:14 +0200] "log line"
219.369.42.449 - - [05/Mar/2020:12:07:23 +0200] "log line"

We can get all lines from the first occurrence of 05/Mar/2020:11 to the end $ of the file by using sed in the following way:

sed -n '/05\/Mar\/2020:11/,$p' "/path/to/file.log"

The option -n will suppress the normal output of sed, but the flag p will print the matched part of the file.
Note, if there isn't presented any record that mach to 05/Mar/2020:11, sed wont provide any output.

We can automate the above by the help of the commands date and eval:

COMMAND="sed -n '/$(LANG=C date --date='1 hour ago' "+%d\/%b\/%Y:%H")/,\$p'"
eval $COMMAND \"/path/to/file.log\"

Using sed with double quote marks and variable within the expression doesn't provide the desired output in this case.
So we first constructing the command as string and convert it to a real command by eval.
LANG=C (LANG=en_us_88591) stands in order to get the desired date format, because, for example, in my case the default value of this envvar is bg_BG.UTF-8.

You can create a script, based on the two lines above - examples of such script:

apache2 : How to search a string from apache2 error logs in specific time range?
modsecurity-whitelist-rule-generator.bash - that parse events within ModSecutity's modsec_audit.log by their unique-id, and then generates whitelist rules for ModSecutity.

More details

nano seems to be the odd one out here. Most editors when opening a file then saving it will actually delete the original file and save a new one with the same name. You can test this by checking the inode number of the file:

$ ls -il file.txt
16647801 -rw-r--r-- 1 terdon terdon 9 Apr  6 18:19 file.txt

Files are simply hardlinks to specific inodes, in this case, file.txt points to inode 16647801. Now, open the file in gedit, add a line and check the inode again:

$ gedit file.txt
$ ls -il file.txt
16647854 -rw-r--r-- 1 terdon terdon 13 Apr  6 18:23 file.txt

As you see, the inode number has changed, in other words, the original file was removed and a new one was created. nano does not do that, trying the same thing with nano does not change the inode. It does, however, delete the original contents overwriting them with the new contents. That's why tail actually shows the output, if you try it and edit the file with gedit (or emacs or a number of other editors), the extra lines you add won't be shown in the output of tail at all.

Ubuntu – How to identify the program that has written information to a log file

Well, your pasted data has all some useful info: COMMAND=/usr/bin/env -u LANGUAGE LC_MESSAGES=C /bin/sh /tmp/tmpBHXhYV/:script:

So env was called to execute ~/tmp/tmpBHXhYV/:script:` with sh. If that file is still there, it might help you. It was not called from a TTY, so probably from within another running application.

Best Answer

Related Solutions

Ubuntu – ‘tail’ command not getting only the new lines

More details

Ubuntu – How to identify the program that has written information to a log file

Related Question