Home  »  Linux  »  Elite Log File Scrolling with Color Syntax

by 9 comments

Scroll Logs on Alternate Monitor for Server Debugging

Ok peeps, one of the coolest hacks yet. If you have multiple PC's/Monitors at your workstation like I do, it can be helpful to display various information on one screen while you work on another.

This article shows how I continuously scroll the logs for a server/site I am working on, thus saving me a lot of time by providing real-time debugging on a separate screen. Not only does this scroll the latest log entries as they are created, it displays them in color using syntax highlighting to make your logs incredibly easy to understand and parse.

Example Output

The thing to realize is that this output is continuously scrolling on your monitor, and using some cool linux shell tricks you can make it output at a certain speed and show a certain number of lines. Another cool feature is you can display multiple files at the same time, and the filename will be output for each file above the log output.

Colored Apache Server Logs Scrolling Display

What Logs

I've explained in various articles on this site how to create and use various custom log files using .htaccess files and other tricks for non-root users. I use shared hosting all the time too you know... Here are some log files you can generally use if you can use .htaccess files (if you can control .htaccess you can control a binary php-cgi, which could be a shell script thats execs the php binary of your choice with your own environment variables, which is a workaround to getting a custom php.ini, which is how you specify a php error log).

  • php error log
  • mod_security audit log
  • mod_security debug log
  • apache error_log
  • apache access_log

Any log file can be used with this method, actually ANY file containing text can be used with this method, even fifo pipes as we will see in a bit ;)



First you need PCRE - Perl Compatible Regular Expressions, which you can download here. Note that I had to install pcre version 6.7 to get it to work with ccze.


Now you need CCZE, which colorizes and outputs (emulating tail) the log files.

CCZE is a robust and modular log colorizer with plugins for apm, exim, fetchmail, httpd, postfix, procmail, squid, syslog, ulogd, vsftpd, xferlog, and more.

Post-Install Setup

Ok so once you've installed ccze you can start using it right away, or you can continue reading to see how I've set it up for readable scrolling. If the following setup isn't to your taste, you can always just use wtail, a colorless multi-file scroller that uses separate scrolling windows in your terminal similar to the screen program.

Create Logs Folder

First I created a folder called /logs/ for my site, then for all subsequent commands chdir to it.

$ mkdir /web/
$ cd /web/

Create Symlinks to Logs

In the new logs folder I created soft symlinks to all the various log files, not neccessary but makes everything much easier and organized.

$ ln -s /actual/logs/ access.log
$ ln -s /actual/logs/ error.log
$ ln -s /web/ php_error.log
$ ln -s /web/ modsec_audit.log
$ ln -s /web/ modsec_debug.log

Make a fifo Pipe

FIFO stands for first-in-first-out and is a somewhat complex feature of linux/bsd/unix shells that let you send data into it and read the data that comes out of it, just like a pipe.

$ mkfifo pipe

Scrolling the Logs

First cd to the log directory you created.

$ cd /web/

Now we will use the tail program to output 120 lines of each of these log files every half of a second, only displaying changes/new log entries. We send that output into the fifo pipe we created using shell redirection and then instruct the command to run in the background using the ampersand to access built-in (bash/sh) job control.

$ tail -s .5 -n 120 -f access.log php_error.log error.log modsec_audit.log >pipe &

Displaying the Colorized Scrolling Output

So every .5 seconds the tail command outputs any new log entries from those files into the fifo pipe, so now we need to use the ccze program to use the fifo pipe as its input log file. Normally you run ccze like the cat command and it just outputs the input colorized, by using tail and a fifo pipe we are able to make this awesome trick work.

To current TTY

$ ccze 

To any TTY

$ ccze < pipe >/dev/pts/2 &

Save All Colored Output

This appends the colorized output to the file in the CWD, super.log

$ ccze -A 

Kill the Scrolling

Immediately kills any processes used by tail and ccze.

$ pkill -9 ccze|tail

Going Further. Hackers only.

Here are some other examples of using ccze with fifo pipes, more as an excercise than anything practical as most lines don't work, I just grabbed them from my shell history file.

tail -f access.log >pipe & ccze /dev/pts/2
tail -f access.log >pipe & ccze /dev/pts/2 &

exec 3<> pipe; while ccze >/dev/pts/2 <&3; do tail -f access.log >pipe; done; exec 3>&-
exec 3<> pipe; ccze <&3 >/dev/pts/2 & ; tail -f access.log >pipe; exec 3>&-
exec 3<> pipe; ccze <&3 >/dev/pts/2 & ; tail -f access.log >pipe
exec 3<> pipe; ccze <&3 >/dev/pts/2 & tail -f access.log >pipe
ccze <&3 >/dev/pts/2 &
ccze 0<&3 |tee -a super.log > /dev/pts/2 &
ccze <&3 |tee -a super.log > /dev/pts/2 &
ccze pipe &
ccze | tee -a /dev/pts/2 /dev/pts/2
ccze <|tee -a /dev/pts/2 pipe >/dev/pts/2
ccze > tee -a super.log >/dev/pts/2
cat >/dev/pts/2 &

tail -fq access.log | ccze  &>/dev/pts/1
tail -qf access.log |ccze &>/dev/pts/1 &
tail -f access.log | ccze > $SSH_TTY

( ccze > /dev/pts/2 ) /dev/pts/2 ) /dev/pts/2 ) /dev/pts/2 ) /dev/pts/2 & tail -f access.log >pipe
ccze   /dev/pts/2 & tail -f access.log >pipe
ccze  < pipe > /dev/pts/2 & tail -f access.log >pipe
ccze < pipe >/dev/pts/2 & tail -f access.log >pipe
ccze < pipe >/dev/pts/2 & tail -f access.log >pipe &
ccze < pipe >/dev/pts/2 & tail -n 40 -s 2 -f error.log modsec_audit.log php_error.log  >pipe &
ccze < pipe >| tee -a super.log | >/dev/pts/2 & tail -n 80 -s 1 -f error.log modsec_audit.log php_error.log  >pipe &
ccze < pipe >/dev/pts/2 & tail -n 100 -s 1 -f error.log modsec_audit.log php_error.log >pipe &
ccze < pipe >/dev/pts/2 & tail -n 100 -s 1 -f error.log modsec_audit.log php_error.log >pipe &

tail -f access.log | ccze > pipe & /dev/pts/2/ pipe & /dev/pts/2

Shell Script

I also hacked together a little shell script that you may wish to hack to your needs. Its actually pretty sweet if you can figure it out.

#!/bin/bash -l
set -o xtrace
renice -p $$ 15

pkill -9 tee|ccze &>/dev/null || echo -n
disown -a &>/dev/null || echo

[[ -r "~/pipe" ]] && rm -rf ~/pipe

mkfifo ~/pipe

cd /web/

[[ -r "superlog.log" ]] && echo "Found old logfile, moving." && mv superlog.log `command ls|wc -l`-superlog.log

ccze <$HOME/pipe > $SSH_TTY & tail -n 150 -s .5 -f  php_error.log error.log modsec_audit.log >$HOME/pipe &
disown %2; && disown %3;

disown -a

sleep 60 &
disown $! || disown %1

for i in `seq 1 4`;do echo -n $'a'; sleep 1;done
kill -9 $J1
kill -9 $J2

exit 0


August 10th, 2008

Comments Welcome

  • insistkool

    Neat hack, thanks for introducing ccze. Cool tool.

  • Brie

    This is way cool...You have some seriously awesome content here. This reminds me of Splunk, a little.

    Nice work!!


  • ohcibi

    Great article!! 8-)

    But I have a question: What exactly is the use of the pipe in the basic example? I just piped the output of tail directly to ccze and it worked as well?

    tail -s .5 -n 120 -f apache.error_log php.log | ccze

  • Alam

    You should see this, GoAccess Superb Live log parser. It has ability to parse 80K lines per second. Please write review on this.


  • AskApache

    Which Splunk?

  • AskApache

    Just geeking out ;p

  • AskApache

    Tail is the primary way to use it, good point. The original reason I wanted to use a FIFO pile was so that I could filter the logs using sed or grep for say a specific IP address or level of error, etc. I rarely actually use ccze wth FIFO pipes, I find simple alias commands and functions using select are more flexible.

    • AskApache

      Another reason is that you could start and stop many different tail commands that all point to a FIFO file, which would let you change the input sent to the running ccze process so you could have ccze continue sending the colored output to the tty (ssh/FireWire/serial) to a dedicated monitor/tmux session, so ccze could continue running uninterrupted, while maintaining full control over the input.

  • Daniel Sandman

    I prefer Colout over CCZE..

Related Articles

My Online Tools
Popular Articles

Hacking and Hackers

The use of "hacker" to mean "security breaker" is a confusion on the part of the mass media. We hackers refuse to recognize that meaning, and continue using the word to mean someone who loves to program, someone who enjoys playful cleverness, or the combination of the two. See my article, On Hacking.
-- Richard M. Stallman


It's very simple - you read the protocol and write the code. -Bill Joy

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group. POSIX ® is a registered Trademark of The IEEE.

+Askapache | askapache

Site Map | Contact Webmaster | License and Disclaimer | Terms of Service

↑ TOPMain