Lệnh watch và tail có thể giúp theo dõi hoạt động trên hệ thống Linux. Bài đăng này xem xét một số cách hữu ích để sử dụng các lệnh này.
The watch and tail commands provide some interesting options for examining activity on a Linux system in an ongoing manner.
That is, instead of just asking a question and getting an answer (like asking who and getting a list of currently logged in users), you can get watch to provide you with a display showing who is logged in along with updates as users come and go.
With tail, you can display the bottoms of files and see content as it is added. This kind of monitoring is often very helpful and requires less effort than running commands periodically.
One of the simplest examples of using watch is to use the command watch who. You should see a list showing who is logged in along with when they logged in and where they logged in from. Notice that the default is to update the display every two seconds (top left) and that the date and time (upper right) updates itself at that interval. The list of users will grow and shrink as users log in and out.
$ watch who
This command will dissplay a list of logins like this:
Every 2.0s: who dragonfly: Thu Feb 27 10:52:00 2020 nemo pts/0 2020-02-27 08:07 (192.168.0.11) shs pts/1 2020-02-27 10:58 (192.168.0.5)
You can change the interval to get less frequent updates by adding a -n option (e.g., -n 10) to select a different number of seconds between updates.
$ watch -n 10 who
The new interval will be displayed and the time shown will change less frequently, aligning itself with the selected interval.
Every 10.0s: who dragonfly: Thu Feb 27 11:05:47 2020 nemo pts/0 2020-02-27 08:07 (192.168.0.11) shs pts/1 2020-02-27 10:58 (192.168.0.5)
If you prefer to see only the command’s output and not the heading (the top 2 lines), you can omit those lines by adding the -t (no title) option.
$ watch -t who
Your display will then look like this:
nemo pts/0 2020-02-27 08:07 (192.168.0.11) shs pts/1 2020-02-27 10:58 (192.168.0.5)
If every time the watched command runs, its output is the same, only the title line (if not omitted) will change. The rest of the displayed information will stay the same.
If you want your watch command to exit as soon as the output of the command that it is watching changes, you can use a -g (think of this as the “go away”) option. You might choose to do this if, for example, you are simply waiting for others to start logging into the system.
You can also highlight changes in the displayed output using the -d (differences) option. The highlighting will only last for one interval (2 seconds by default), but can help to draw your attention to the changes.
Here’s a more complex example of using the watch command to display services that are listening for connections and the ports they are using. While the output isn’t likely to change, it would alert you to any new service starting up or one going down.
$ watch 'sudo lsof -i -P -n | grep LISTEN'
Notice that the command being run needs to be enclosed in quotes to ensure that the watch command doesn’t send its output to the grep command.
Using the watch -h command will provide you with a list of the command’s options.
$ watch -h Usage: watch [options] command Options: -b, --beep beep if command has a non-zero exit -c, --color interpret ANSI color and style sequences -d, --differences[=<permanent>] highlight changes between updates -e, --errexit exit if command has a non-zero exit -g, --chgexit exit when output from command changes -n, --interval <secs> seconds to wait between updates -p, --precise attempt run command in precise intervals -t, --no-title turn off header -x, --exec pass command to exec instead of "sh -c" -h, --help display this help and exit -v, --version output version information and exit
Using tail -f
The tail -f command has something in common with watch. It will both display the bottom of a file and additional content as it is added. Instead of having to run a “tail” command again and again, you run one command and get a repeatedly updated view of its output. For example, you could watch a system log with a command like this:
$ tail -f /var/log/syslog
Some files, like /var/log/wtmp, don’t lend themselves to this type of handling because they’re not formatted as normal text files, but you could get a similar result by combining watch and tail like this:
watch 'who /var/log/wtmp | tail -20'
This command will display the most recent 5 logins regardless of how many of the users are still logged in. If another login occurs, a line will be added and the top line removed.
Every 60.0s: who /var/log/wtmp | tail -5 dragonfly: Thu Feb 27 12:46:07 2020 shs pts/0 2020-02-27 08:07 (192.168.0.5) nemo pts/1 2020-02-27 08:26 (192.168.0.5) shs pts/1 2020-02-27 10:58 (192.168.0.5) nemo pts/1 2020-02-27 11:34 (192.168.0.5) dory pts/1 2020-02-27 12:14 (192.168.0.5)
Both the watch and tail -f commands can provide auto-updating views of information that you might at times want to monitor, making the task of monitoring quite a bit easier whether you’re monitoring processes, logins or system resources.