Last updated on: 2021-07-23
Authored by: Coral Moore
This article introduces some tools, especially
grep, a Linux® command-line
tool that you can use to search directories or files that match specified
grep searches the named input files (or standard input if you don’t
specify a file or use a single hyphen (-) as the filename)
for lines containing a match to the given pattern. By default,
prints the matching lines.
Search a file, directory, or output for something specific, similar to Ctrl + f in Windows®. Use this function to target exactly what you need.
Often, the easiest way to show how a command works, is with examples.
You can see all users in the /etc/passwd file with the following command:
# cat /etc/passwd rack❌1001:1001::/home/rack:/bin/bash apache❌48:48:Apache:/usr/share/httpd:/sbin/nologin mysql❌27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin sher❌1002:1002::/home/sher:/bin/bash
grep, you can narrow down that list to find a single user.
Find a specific user:
List the users but filter the output showing only the line with sher in it.
# cat /etc/passwd | grep 'sher' sher❌1002:1002::/home/sher:/bin/bash
Or, find the same user with a single command:
# grep 'sher' /etc/passw rack❌1001:1001::/home/rack:/bin/bash sher❌1002:1002::/home/sher:/bin/bash
In the following example, find all users with bash access:
# grep 'bash' /etc/passwd rack❌1001:1001::/home/rack:/bin/bash sher❌1002:1002::/home/sher:/bin/bash
Like most Linux commands,
grep uses flags, usually one or more
letters preceded by one or more dashes, to add extra functionality.
-v: Show everything that does not include the specified
# grep -v 'nologin' /etc/passwd rack❌1001:1001::/home/rack:/bin/bash sher❌1002:1002::/home/sher:/bin/bash
-i: Show matches, ignoring the case, which is useful when
you don’t know exactly what you need:
# grep -i 'SHER' /etc/passwd sher❌1002:1002::/home/sher:/bin/bash
Search for multiple patterns
grep uses the pipe symbol (|) to mean or allowing you to search
for more than one thing at a time. Use one of the following methods
to search for several things at once:
\: Escapes the next character, a pipe (|) allowing it to work as or:
# grep 'sher\|rack' /etc/passwd rack❌1001:1001::/home/rack:/bin/bash sher❌1002:1002::/home/sher:/bin/bash
-E: Interprets special characters, such as | as or:
# grep -E 'sher|rack' /etc/passwd rack❌1001:1001::/home/rack:/bin/bash sher❌1002:1002::/home/sher:/bin/bash
egrep command does the same thing:
# egrep 'sher|rack' /etc/passwd rack❌1001:1001::/home/rack:/bin/bash sher❌1002:1002::/home/sher:/bin/bash
You can use various flags in combination to refine a search.
The following example shows all users who aren’t sher or rack, regardless of the case of the pattern of file content:
# egrep -vi 'SHER|RACK' /etc/passwd
The following sections cover other uses for
grep and introduce other useful commands.
In Linux, you comment out lines by adding the pound symbol (#) at the beginning of the line. This way, you can add your own notes, and scripts or programs ignore the comments and do not execute those lines.
To display files ignoring those comments, use tbe following command:
# grep -v ^'#' /file
You can even run a
grep on top of another
For example, list a file ignoring commented lines, and then look for something specific:
# grep -v ^'#' /file | grep 'hello'
Most Linux systems keep a log of executed commands, which you can access with
history. When you combine
grep, you can very
effectively investigate what has been run on your system so far.
passwd commands run and other commands containing the
# history | grep 'passwd'
Find commands run on a specific day:
# history | grep '2021-05-10'
Check which commands ran at a specific time:
# history | grep '2021-05-10 11:00:'
Check ports and root login
List the web traffic running on ports
# netstat -plnt | egrep '80|443'
You can use ^ in a
grep command to show only those lines
starting with your search pattern.
For example, run the following command to check whether the system allows root logins:
# grep ^'Permit' /etc/ssh/sshd_config
Search logs with head and tail
top to show the first ten lines of the login attempts log:
# head /var/log/secure
tail to show the lines at the end of the login attempts log:
# tail /var/log/secure
last command to show the first ten lines of the most recent logins:
# last | head -10
tail -f to watch a file grow in real time. For example, you can see
the most recent login attempts and watch ongoing attempts. If someone tries to
log in, you can see it as it happens with the following command:
# tail -f /var/log/secure Ctrl + C to exit
You can experiment with your newfound skills by using the tools in this section.
vim or nano
nano are the most common text editors in Linux.
You can use them to edit a file, similar to using Notepad in Windows.
Open up and create a new file, test:
# vim /test
|To start typing new content:||
||Prepare to insert text|
|To exit without saving:||Esc
||Escape insert mode and quit|
|To exit and save:||Esc
||Escape insert mode, write, and quit|
echo is a simple command that tells Linux to repeat what you just typed.
This is effective for testing
grep commands without first creating a new file.
For example, make hello display:
# echo 'hello' hello
Display hello and search for the middle letters:
# echo 'hello' | grep 'ell' hello
You can even use
echo to display multiple lines by using
add new lines.
Display hi and ho on separate lines:
# echo -e 'hi\nho' hi ho
Display hi and ho on separate lines and search for hi:
# echo -e 'hi\nho' | grep 'hi' hi
sed has many uses, but you primarily use this command to
search for and replace specified content. Here are some basic examples of how
to single out specific lines:
vim to create a file:
# vim /test
When the editor opens, enter the following lines:
1 Hi 2 How 3 Are 4 You
Display the new file:
# cat test 1 Hi 2 How 3 Are 4 You
sed to return everything except the first line:
# sed 1d test 2 How 3 Are 4 You
Return only the first line:
# sed 1q test
# sed '1!d' test 1 Hi
Return only the second to fourth lines:
# sed '2,4!d' test 2 How 3 Are 4 You
There are many other tools that you can use, such as
and so on. Now that you know how to create a file by using
echo, you can
experiment more effectively with them.