Skip to main content

Live monitoring file and directory contents in Linux terminals

devops
Discover various techniques for real-time monitoring of files and directories in Linux terminal environments, from basic built-in tools to advanced utilities.

Modern system administration and development workflows often require monitoring files and directories in real-time. Whether you're watching log files for errors, monitoring configuration changes, or observing directory activity, Linux provides numerous ways to keep an eye on your filesystem as it changes. This article explores various methods for live-viewing file and directory contents in the terminal, ranging from simple built-in commands to more specialised utilities.

Prerequisites

This article assumes:

  • Intermediate familiarity with Linux command line
  • Basic understanding of file operations and permissions
  • Access to a Linux terminal environment

Most tools discussed are available by default in common Linux distributions, though some may require installation through your package manager.

Using watch for periodic updates

The watch command provides a straightforward way to execute a command repeatedly and display its output, effectively creating a live view that refreshes at regular intervals.

# Basic syntax
watch [options] command

# Example: Watch directory contents update every 2 seconds (default)
watch ls -la

# Example: Custom refresh interval (0.5 seconds)
watch -n 0.5 ls -la

The -n flag specifies the refresh interval in seconds, which can include decimal values for sub-second refreshes. The watch command clears the screen before each execution, maintaining a clean display.

Tip

Use the `-d` or `--differences` flag to highlight changes between updates: 
watch -d ls -la

For more pronounced highlighting, use -d=cumulative to highlight all changes since the first execution:

watch -d=cumulative ls -la

</div>

While watch is versatile, it's important to note that it doesn't provide true real-time monitoring—it simply executes the command at regular intervals.

Monitoring file content with tail -f

For tracking changes to files in real-time, particularly log files, tail -f is the classic solution:

# Follow a single file
tail -f /var/log/syslog

# Follow multiple files simultaneously
tail -f /var/log/syslog /var/log/auth.log

# Show last 100 lines and then follow updates
tail -n 100 -f /var/log/apache2/access.log

The -f flag ("follow") instructs tail to continue displaying new content as it's appended to the file. This is particularly useful for monitoring logs during debugging or system administration tasks.

Note

If a file is rotated or recreated (common with log files), `tail -f` might not detect the new file. For such cases, use `tail -F` (uppercase F), which will check if the file has been renamed and automatically follow the new file.

Using less +F for interactive following

While tail -f is excellent for continuous monitoring, sometimes you need to pause, search, or navigate through the file. The less command with the +F option provides this flexibility:

# Start less in follow mode
less +F /var/log/syslog

In this mode, less acts like tail -f, but with the full power of less navigation available:

  • Press Ctrl+C to stop following and enter normal less mode
  • Navigate, search, and examine the file content
  • Press F to resume following

This approach combines the benefits of real-time monitoring with interactive file navigation.

Monitoring directory changes with inotifywait

For true real-time monitoring of file or directory changes, inotifywait from the inotify-tools package offers fine-grained control:

# Install inotify-tools (Debian/Ubuntu)
sudo apt-get install inotify-tools

# Basic monitoring of all events in a directory
inotifywait -m /path/to/directory

# Monitor specific events only
inotifywait -m -e modify,create,delete /path/to/directory

# Monitor recursively
inotifywait -m -r /path/to/directory

The -m flag puts inotifywait in monitor mode, continuously watching for events rather than exiting after the first one. The -e flag specifies which events to monitor, and -r enables recursive monitoring of subdirectories.

Important

The `inotify-tools` package is not installed by default on most systems and must be installed via your distribution's package manager:
  • Debian/Ubuntu: sudo apt-get install inotify-tools
  • Fedora/RHEL: sudo dnf install inotify-tools
  • Arch Linux: sudo pacman -S inotify-tools

A powerful application of inotifywait is to trigger actions when files change:

# Example: Run tests whenever a Python file changes
while inotifywait -e modify -r --include="\.py$" ./src; do
    python -m pytest
done

Specialised file watching with entr

The entr utility offers another approach to monitoring files and running commands when they change:

# Install entr (Debian/Ubuntu)
sudo apt-get install entr

# Basic usage: run a command when any listed file changes
ls *.py | entr python -m pytest

# Restart long-running process when files change
ls *.py | entr -r python app.py

# Clear screen before each execution
ls *.py | entr -c python -m pytest

The -r flag is particularly useful for restarting long-running processes like web servers during development. The -c flag clears the screen before each execution.

Tip

Combine `find` with `entr` for more complex file selection: 
# Watch all Python files in the current directory and subdirectories
find . -name "*.py" | entr python -m pytest

</div>

Real-time disk usage with dstat or iotop

For monitoring disk activity rather than file content, utilities like dstat or iotop provide valuable insights:

# Install dstat (Debian/Ubuntu)
sudo apt-get install dstat

# Monitor disk read/write operations
dstat -d

# Install iotop (Debian/Ubuntu)
sudo apt-get install iotop

# Monitor disk I/O by process
sudo iotop

These tools are particularly useful when troubleshooting performance issues or monitoring I/O-intensive operations.

Advanced log monitoring with multitail

For monitoring multiple log files simultaneously with advanced features, multitail is an exceptional tool:

# Install multitail (Debian/Ubuntu)
sudo apt-get install multitail

# Monitor multiple files in split windows
multitail /var/log/syslog /var/log/auth.log

# Display files side by side
multitail -s 2 /var/log/syslog /var/log/auth.log

# Apply colour highlighting based on patterns
multitail -cS apache /var/log/apache2/access.log

multitail offers numerous features including regex-based highlighting, multiple window layouts, filtering, and merging of multiple sources.

Building custom monitoring with tmux or screen

Terminal multiplexers like tmux or screen can be leveraged to create custom monitoring dashboards:

# Example tmux setup for monitoring
tmux new-session -d -s monitor
tmux split-window -v
tmux split-window -h
tmux select-pane -t 0
tmux send-keys "tail -f /var/log/syslog" C-m
tmux select-pane -t 1
tmux send-keys "watch -d ls -la /tmp" C-m
tmux select-pane -t 2
tmux send-keys "dstat -cdngy 1" C-m
tmux attach-session -t monitor

This script creates a three-pane monitoring setup with a log file, directory listing, and system stats all visible simultaneously.

Continuous directory listings with looping

For a simpler approach without additional tools, a basic loop in Bash can provide continuous updates:

# Continuously update directory listing
while true; do
    clear
    ls -la
    sleep 1
done

This technique works with any command and can be easily customised to your needs:

# Monitor with timestamp
while true; do
    clear
    date +"%H:%M:%S"
    ls -la | grep -v "^total"
    sleep 1
done

Combining tools for custom solutions

The most powerful monitoring solutions often combine multiple techniques:

# Example: Log monitoring script that highlights errors and saves to file
#!/bin/bash
log_file="/var/log/apache2/error.log"

# Create a named pipe for processing
mkfifo /tmp/logpipe
tail -f "$log_file" > /tmp/logpipe &

# Process the log with highlighting and save to file
cat /tmp/logpipe | tee -a ~/apache_errors.log | grep --color=always -E 'ERROR|CRITICAL|$'

# Clean up on exit
trap "rm /tmp/logpipe; kill $!" EXIT

This script demonstrates combining tail -f with pipes, grep for highlighting, and tee for saving output.

Practical use cases

Understanding when to use each tool is as important as knowing how they work:

Tool Best for Limitations
watch Simple periodic updates, command outputs Not true real-time, resource overhead
tail -f Log files, continuous monitoring Limited interaction, single view
less +F Interactive file monitoring Single file at a time
inotifywait Triggering actions, filesystem events Requires installation, complex syntax
entr Development workflows, running tests Less common in standard installations
multitail Complex log monitoring, multiple files Steeper learning curve
tmux/screen Custom dashboards, persistent sessions Initial setup complexity

Final thoughts

Live monitoring in Linux terminals offers a powerful way to maintain awareness of system activities without the overhead of graphical interfaces. Whether you're monitoring logs during deployment, watching for file changes during development, or keeping an eye on system resources, these tools provide the visibility needed for effective system administration and development work.

For the best experience, start with simpler tools like watch and tail -f, then progress to more specialised utilities as your monitoring needs grow more complex. By mastering these techniques, you'll gain deeper insights into system behaviour and develop more efficient workflows for managing and troubleshooting Linux systems.