1

I want to follow the word BLOCK in ufw.log file every two seconds

I try this command:

sudo watch BLOCK /var/log/ufw.log

but I getting: sh: 1: BLOCK: not found

what is the right command?

Thank You

Edit

Following this command tail -f /var/log/ufw.log | grep BLOCK This is the output:

[ 6951.750905] [UFW BLOCK] IN=eth0 OUT= MAC=xxxx SRC=88.99.100.01 DST=180.20.40.11 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=26663 DF PROTO=TCP SPT=59501 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0

How to filter the output to show only the SRC=«ip_address»

So that the output will be only: SRC=88.99.100.01

ctrl-alt-delor
  • 27,993
victor212
  • 53
  • 1
    Maybe you could tell us what you expect the watch command to do there, because a quick look at the manpage suggests it does something entirely different than what you're probably expecting. – Shadur-don't-feed-the-AI Jul 23 '16 at 17:48
  • 1
    i want to look this file: ufw.log every two seconds, and when a new line with the word BLOCK created display on the screen – victor212 Jul 23 '16 at 17:56
  • 2
    Try tail -f /var/log/ufw.log | grep BLOCK – Shadur-don't-feed-the-AI Jul 23 '16 at 18:00
  • @Shadur's suggestion is the way to go. You may also need to pass --line-buffered to grep to suppress output buffering – iruvar Jul 23 '16 at 18:13
  • 1
    tail -f … is better, but what you were trying to do was sudo watch grep BLOCK /var/log/ufw.log. You missed out the command, watch takes a command. – ctrl-alt-delor Jul 23 '16 at 21:56
  • 1
    Try tail -F /var/log/ufw.log | sed -n -e '/BLOCK/ {s/.*\(SRC=[^ ]*\).*/\1/p}'. Using -F instead of -f tells tail to not only follow the log, but to re-open the tailed filename if it gets rotated (i.e. closed, renamed, and replaced). – cas Jul 24 '16 at 12:53

1 Answers1

3

From the watch manpage:

WATCH(1)

NAME

   watch - execute a program periodically, showing output fullscreen

SYNOPSIS

   watch [options] command

DESCRIPTION

watch runs command repeatedly, displaying its output and errors (the first screenfull). This allows you to watch the program output change over time.

By default, the program is run every 2 seconds.

By default, watch will run until interrupted.

This does not seem to fit at all with whatever you think it may do given the command line you're using. You may be looking for an entirely different command...

EDIT: As per what you added in the comments, what you want could be done with watch, but it's the wrong tool for the job.

tail -f /var/log/ufw.log | grep BLOCK will continually follow the logfile, but only print lines containing 'BLOCK' to the screen, which is closer to what I suspect you want.

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
Shadur-don't-feed-the-AI
  • 31,260