How to monitor log files live in Linux

For many sysadmins, watching for activity on a particular server is crucial. Such examples include who’s logging on and what they’re doing. This ensures a secure environment and helps prevent an authorized intrusion. Here’s how to track logs live in the shell terminal.

Tail

The tail program allows for any file to be tracked actively. This will occupy the shell terminal so you won’t be able to do anything until hitting CTRL+C to exit. It is recommended to run multiple ssh clients for this.

Whenever a new event occurs that requires it to be logged, it will show up in tail. We’re going to track our SSH connections live through Debian/Ubuntu, which uses the standard auth.log file located in /var/log/ provided by syslog.

sudo tail -f /var/log/auth.log
Feb  7 10:50:01 host CRON[1351]: pam_unix(cron:session): session closed f                                                                                        or user root
Feb  7 11:00:01 host CRON[1368]: pam_unix(cron:session): session opened f                                                                                        or user root by (uid=0)
Feb  7 11:00:01 host CRON[1368]: pam_unix(cron:session): session closed f                                                                                        or user root
Feb  7 11:04:21 host sshd[1382]: Accepted password for $user from 192.168.                                                                                        1.6 port 53627 ssh2
Feb  7 11:04:21 host sshd[1382]: pam_unix(sshd:session): session opened f                                                                                        or user $user by (uid=0)
Feb  7 11:04:21 host systemd-logind[422]: New session 23 of user $user.
Feb  7 11:04:21 host systemd: pam_unix(systemd-user:session): session ope                                                                                        ned for user $user by (uid=0)
Feb  7 11:04:24 host su: (to root) $user on pts/0
Feb  7 11:04:24 host su: pam_unix(su:session): session opened for user ro                                                                                        ot by $user(uid=1000)

You will see something like this. As users connect/attempt to authenticate via ssh, new entries are added to the log file automatically. The host which is the local machine, followed by the user and source IP address they’re logging in from.

Not every operating system supports this operation. Let’s take a look at CentOS/RHEL.

CentOS/RHEL

In other distributions of Linux such as CentOS or Red Hat, the syslog implementation has been replaced by journalctl. Using journalctl to show log entries for the ssh daemon is done like this:

sudo journalctl -u sshd.service

This will display a log similar to syslog. The -u implies the log for systemd unit sshd.service. Now we are going to use something similar to tail: watch.

sudo watch -n 2 journalctl -u sshd.service

This will actively monitor for changes to the unit file we’ve just displayed. The watch program executes the shell command every couple of seconds(defined with -n) by default. Watch can be used for any command, preferably ones that are needed to be constantly updated.

Again, you can exit with CTRL+C.