Shell command to monitor changes in a file

Question

I know there was a command on Unix that I could use to monitor a file and see changes that are getting written to it. This was quite useful especially for checking log files.

Do you know what it is called?

Answer 1

Do you mean

tail -f logfile.log

?

(Man page for tail)

Answer 2

You probably meant tail, as per Jon Skeet's answer.

Another useful one is watch; it allows you to run a command periodically and see the output full screen. For example:

watch -n 10 -d ls -l /var/adm/messages

Will run the command ls -l /var/adm/messages every 10 seconds, and highlight the difference in the output between subsequent runs. (Useful for watching how quickly a logfile is growing, for example).

Answer 3

inotifywait from inotify-tools is useful if you want to run a command every time a file (or any files in a directory) change. For example:

inotifywait -r -m -e modify /var/log | 
   while read file_path file_event file_name; do 
       echo ${file_path}${file_name} event: ${file_event}
   done

output:

Setting up watches.  Beware: since -r was given, this may take a while!
Watches established.
/var/log/messages event: MODIFY
/var/log/kern event: MODIFY
...

Answer 4

I prefer using less +FG¹ over tail -f because I find myself needing to search a log file for a specific error or ID. If I need to search for something, I type ^C to stop following the file and ? to start searching backwards.

Key bindings are pretty much the same as in vi. Any command can be initialized on startup using the + option:

+cmd   Causes  the  specified  cmd  to be executed each time a new file is
       examined.  For example, +G causes less to  initially  display  each
       file starting at the end rather than the beginning.

For really long logs, I find it convenient to use the -n option which turns off line numbering. From the manpage:

-n or --line-numbers
          Suppresses line numbers.  The default (to use line numbers)  may
          cause  less  to run more slowly in some cases, especially with a
          very large input file.  Suppressing line  numbers  with  the  -n
          option  will  avoid this problem.  Using line numbers means: the
          line number will be displayed in the verbose prompt and in the =
          command,  and the v command will pass the current line number to
          the editor (see also  the  discussion  of  LESSEDIT  in  PROMPTS
          below).

---

_{1. Hat-tip to rgmarcha for pointing this out in the comments.}

Answer 5

tail is great ... less can also be used start less on the file i.e. less myfile then press Shift+F. This has less act as tail.

Answer 6

I'm editing a LaTeX file and wanted to monitor it also for changes somewhere in the middle. I whipped up the following little shell script that proved useful to me. I hope it'll also come in handy to someone else.

#!/bin/bash
FILE="$1"
CMD="$2"
LAST=`ls -l "$FILE"`
while true; do
  sleep 1
  NEW=`ls -l "$FILE"`
  if [ "$NEW" != "$LAST" ]; then
    "$CMD" "$FILE"
    LAST="$NEW"
  fi
done

Save it as watch.sh and do chmod u+x watch.sh. Then I execute it as follows:

./watch.sh file.tex pdflatex

If you want the command only to be run if actual modification takes place, you can use `md5sum "$FILE"` instead of `ls -l "$FILE"`.

Answer 7

you can use the tailf command its very easiest one

tailf logfile.log

Answer 8

You can also use inotifywatch/inotifywait which hook into the kernels inotify subsystem. This way you can also watch for things like "open", "close" or "access".

But if you're simply want to get appended lines to stdout i agree on tail.

Answer 9

If I want to be able to search around the file in addition to just tailing it, I use less with the "F" command.

When using tail, keep in mind that additional arguments are needed if the file might be rolling over or replaced by edit (default mode for vim's :w).

tail -f <filename> will cause tail to store the file descriptor and follow it. If the file is replaced the descriptor will be changed. The benefit of following the file descriptor is that if the file is renamed, you will still be following it.

tail --follow=<filename> will make tail track the named file by reopening it periodically to see if it has been replaced.

--retry is another useful option if you want to tail a log file but the file hasn't been created yet.

tail -F <filename> is a shortcut for --follow=<filename> --retry.

Answer 10

Tail is the standard, traditional, available everywhere unix tool. A little more sophisticated tool is multitail which can monitor several files simultaneously and does syntax highlighting.

Answer 11

Forget tailf, diff is the command you want. Here is a good trick to watch the differences as they happen in real time (or close) between 2 files or in one file being written to.

You can use these methods to modify the behavior whatever way you want, such as writing the changes to a file to keep record. Play around with the interval of watch or other options for the commands below.

You have 1 file and you want to watch as changes are made to it:

So heres what to do:

1. copy the file

   cp file file2
   

2. write a bash script to find the differences, and update file2

   touch check-differences.sh
   nano check-differences.sh
   chmod 755 check-differences.sh
   

3. Here's a basic idea for the script. Make it write to a file if you want

   #!/bin/bash
   diff file file2
   cp file file2
   

4. Next you can either watch the differences on screen using watch

   watch ./check-differences
   

this will update every 2 seconds by default. So if you need to go back and read them, then write the output of diff to a file in the script.

Or use cron to run your script regularly if you don't need to see output.

Answer 12

I used this, to execute some function on file change:

sudo apt-get install inotify-hookable
inotify-hookable -w ./my_dir_to_monitor  -c "mkdir blabla"

Answer 13

While tail -f somefile.txt keeps scrolling with new data, I sometimes prefer less +G somefile.txt as well to look at a patch of latest data in the file.