lnav basics tutorial
Last year, I blogged about lnav.
lnav is a fantastic tool for analysing log files, and after getting a question from CrimsonTome I thought I'd write up a longer-form tutorial on the basics of using it, as I personally find it exceedingly useful.
I'll be using an Ubuntu Server 20.04 instance for this tutorial, but anything Linuxy will work just fine. As mentioned in my previous post, it's available in the default repositories for your distribution. For apt-based systems, install like so:
sudo apt install lnav
Adjust for your own package manager. For example,
pacman-based distributions should do this:
sudo pacman -S lnav
lnav operates on 1 or more input files. It's common to use logrotate to rotate log files, so this is what I'd recommend to analyse all your logs of a particular type in 1 go (here I analyse generic syslog logs):
On your system you may need to
sudo that. Once you've got lnav started, you may need to wait a moment for it to parse all the log files - especially if you have multi-million line logfiles.
After it's finished loading, we can get to analysing the logs at hand. The most recent logs appear at the bottom, and you'll notice that lnav will have coloured various parts of each log message - the reason for this will become apparently later on. lnav should also livestream log lines from disk too.
Use the arrow keys or scroll up / down to navigate log messages.
lnav operates via a command pallette system, which if you use GitHub's [Atom IDE]
(https://atom.io/) or Sublime Text (which is apparently where the feature originated) may already be familiar to you. In lnav's case, it's also crossed with a simple shell. Let's start with the most important command:
To execute a command, simply start typing. Commands in lnav are prefixed with a colon
:filter-out takes a regular expression as it's only argument and filters all log lines which match the given regular expression out and hides them. Sticking with our earlier syslog theme, here's an example:
You'll notice that once you've finished typing
:filter-out, lnav will show you some help in a pane at the bottom of the screen showing you how to use that command.
:filter-out has a twin that's also useful to remember:
:filter-in does the opposite - anything that doesn't match the specified pattern is hidden from view. Very useful if you know what kind of log messages you're looking for, and they are a (potentially very small) subset of a much larger and more unstructured log file.
To delete all existing filters and reset the view, hit Ctrl + R.
lnav has many other built-in commands. Check out the full reference here: https://docs.lnav.org/en/latest/commands.html.
The other feature that
lnav comes with is also the most powerful: SQLite3 support. By parsing common log file formats (advanced users can extend lnav by defining their own custom formats, but the specifics of how to do this are best left to the lnav documentation), it can enable you to query your log files by writing arbitrary SQLite queries!
To understand how to query a file, first hit the
p key. This will show you how lnav has parsed the log line at the top of the screen (scroll as normal to look at different lines, and hit
p again to hide). Here's an example:
Using this information, we can then make an SQL query against the data. Press semicolon
; to open the SQL query prompt, and then enter something like this:
SELECT * FROM syslog_log WHERE log_procname == "gitea";
....hit the enter key when you're done composing your query, and the results should then appear! You can scroll through them just like you do with the regular log viewer - you just can't use
:filter-out until you leave the query results window with the
q key (this would be a really useful feature though!).
If you're running
lnav on your Nginx logs (located in
/var/log/nginx/ by default), then I find this query to be of particular use:
SELECT COUNT(cs_referer) AS count, cs_referer FROM access_log GROUP BY cs_referer ORDER BY COUNT(cs_referer) DESC
That concludes this basic tutorial on lnav. There are many more features that lnav offers:
:filter-exprfor filtering the main view by SQL query
- Analysing files on remote hosts over SSH
- Search logs for a given string (press
/and start typing)
- Too many others to list here
Check out the full documentation here: https://docs.lnav.org/