WATCH - Command Examples

From IT-Arts.net


Return to Wiki Index


Common watch Command Use Cases

Monitor Command Output at Regular Intervals

To run a command at regular intervals (default: every 2 seconds) and display the output: 

watch df -h

This command runs `df -h` every 2 seconds, showing disk usage in human-readable format.

Monitor a Specific File for Changes

To monitor a file for changes, such as its content or size: 

watch ls -l /var/log/syslog

This command runs `ls -l` on the specified file (`/var/log/syslog`), displaying its file attributes and any changes every 2 seconds.

Change the Interval Between Command Executions

To change the default 2-second interval between executions: 

watch -n 5 df -h

This runs `df -h` every 5 seconds instead of the default 2-second interval.

Monitor Multiple Commands Simultaneously

To execute multiple commands in sequence and monitor their output: 

watch 'date; uptime; free -h'

This command runs `date`, `uptime`, and `free -h` sequentially every 2 seconds, showing the current time, system uptime, and memory usage.

Run a Command Once and Exit after a Period

To run a command only for a specified duration and then exit: 

watch -t -n 10 df -h

This command will run `df -h` every 10 seconds for a total of 10 seconds, then exit.

Highlight Changes in Command Output

To highlight the differences between successive outputs: 

watch -d df -h

The `-d` option highlights the differences in the output between each execution, making it easy to track changes.

Monitor File System Usage with Specific Criteria

To check for file system usage and highlight any changes in real-time: 

watch -d 'df -h | grep /dev/sda1'

This runs `df -h`, but filters for the file system mounted on `/dev/sda1`, highlighting any changes.

Advanced watch Command Options

Watch for Output of a Command with Color

To display the output with color support (if supported by the command): 

watch -c ls --color=auto

This command will execute `ls --color=auto`, which displays files and directories with color in the output.

Customize the Watch Header

To customize or disable the header (showing the interval and command being executed): 

watch -t df -h

The `-t` option disables the default header in the output, showing only the results of the command.

Use watch with Complex Commands or Scripts

To execute and watch complex shell commands or scripts: 

watch 'echo "Disk space:"; df -h'

This command executes a more complex script or series of commands, displaying both text (`Disk space:`) and command output.

Monitor System Processes or Specific Process Information

To monitor the output of process-related commands: 

watch -n 1 'ps aux | grep apache2'

This runs `ps aux | grep apache2` every second to monitor the `apache2` process.

Watch System Resource Usage with Graphical Representation

To monitor resource usage with a graphical representation: 

watch -n 1 'vmstat 1'

This command continuously runs `vmstat 1`, showing a real-time snapshot of system performance.

Security Concepts

Monitoring System Resources for Security Threats

The `watch` command can be used to monitor system resources, such as CPU, memory, and disk usage, which is useful for detecting unusual activity indicative of a security breach.

For example, checking for high memory usage can help detect potential DDoS attacks or resource exhaustion: 

watch free -h

This command monitors memory usage in real-time, helping identify unusual consumption patterns that might indicate a security issue.

Monitoring Running Processes for Malicious Activity

By monitoring running processes, you can identify any unusual or unauthorized processes that might indicate a system compromise. For instance, watching the output of `ps aux` can reveal suspicious processes.

Example: 

watch 'ps aux | grep root'

This command continuously checks for processes running under the `root` user, which is useful for detecting unauthorized escalations or hidden rootkits.

Monitor Changes in Log Files for Security Events

You can use `watch` to monitor log files for suspicious activity. For instance, monitoring `/var/log/auth.log` for failed login attempts: 

watch 'tail -n 50 /var/log/auth.log | grep "Failed password"'

This continuously watches the `auth.log` file for failed SSH login attempts, helping to identify brute force attacks.

Real-Time Monitoring of Security Tools

`watch` can be used to monitor outputs from security tools like `snort`, `fail2ban`, or `suricata` to track active security measures on the system.

For example: 

watch 'fail2ban-client status sshd'

This command shows the status of the `fail2ban` service for the `sshd` service, helping monitor if there are active bans on malicious IP addresses.

Retrieved from "https://it-arts.net/index.php?title=WATCH_-_Command_Examples&oldid=995"