30 Powerful Linux Command Combos for System Monitoring, Log Analysis & Security

System Monitoring & Resource Inspection

Quick resource status – CPU, memory, root partition:

top -b -n 1 | grep Cpu | awk '{print "CPU usage:"$2"%"}' && free -h | grep Mem | awk '{print "Memory usage:"$3"/"$2"("$7" free)"}' && df -h | grep /$ | awk '{print "Root partition usage:"$5"("$4" free)"}'

If the root filesystem is mounted elsewhere, replace grep /$ with the appropriate mount point.

Top CPU‑consuming processes :

ps -eo pid,ppid,%cpu,%mem,cmd --sort=-%cpu | head -10

Use --sort=-%mem to sort by memory usage instead of CPU.

Find large files (default >100 MiB):

find / -type f -size +100M 2>/dev/null | xargs du -sh | sort -hr

Replace +100M with +1G for a 1 GiB threshold.

Log Analysis & Data Extraction

Count error lines for a specific day (e.g., Nginx 500 errors on 2025‑09‑08):

grep -i "error" /var/log/nginx/error.log | grep -E "2025-09-08" | wc -l

Adjust the date pattern if the log uses a different format (e.g., "08/Sep/2025").

Top 10 IP‑URL pairs causing 500 errors :

grep "500" /var/log/nginx/access.log | awk '{print $1,$7,$9}' | sort | uniq -c | sort -nr | head -10

Verify that $1, $7 and $9 correspond to IP, URL and status in your Nginx log format.

Real‑time SSH login monitoring :

tail -f /var/log/messages | grep --line-buffered "ssh" | awk '/Accepted/ {print "Successful login: "$0} /Failed/ {print "Login failure: "$0}'

On some distributions the SSH log file is /var/log/secure instead of /var/log/messages.

File Management & Batch Operations

Delete backup files older than 7 days :

find /data/backup -name "*.tar.gz" -mtime +7 -exec rm -f {} \;

Run a dry‑run first with -exec ls -l {} \; to verify the selection.

Append date suffix to daily logs (e.g., access.log.20250908):

for file in /data/logs/*.log; do mv "$file" "$file.$(date +%Y%m%d)"; done

Use $(date +%Y%m%d%H%M) for a timestamp that includes hour and minute.

Bulk replace an IP address in configuration files :

sed -i 's/old_ip=192.168.1.10/old_ip=192.168.1.20/g' /etc/config/*.conf

Test on a single file first (e.g., sed -i.bak ... app.conf) to avoid accidental changes.

Create a dated tarball while excluding logs :

tar -zcvf /data/backup/app_$(date +%Y%m%d).tar.gz /data/app --exclude=/data/app/logs

Add additional --exclude options to skip other directories.

Transfer backup tarballs to a remote server :

scp -r /data/backup/*.tar.gz [email protected]:/data/remote_backup/

For large files consider rsync -avz to enable resume and compression.

Process & Service Management

Check Nginx status and recent logs :

systemctl status nginx | grep -E "active|inactive|failed" && journalctl -u nginx --since "10 minutes ago" | tail -20

On older systems replace systemctl with service nginx status and inspect /var/log/nginx/error.log.

Force‑kill all Java processes :

ps -ef | grep java | grep -v grep | awk '{print $2}' | xargs kill -9

Use kill -15 for a graceful termination when possible.

Run a script in background with output logging :

nohup /data/app/start.sh > /data/logs/app.log 2>&1 &

Ensure the log directory exists ( mkdir -p /data/logs) before launching.

Simple keep‑alive check for a Java jar (use in cron) : pgrep -f "app.jar" || /data/app/start.sh Combine with the nohup … pattern to capture logs when started from cron.

Network Connection & Fault Diagnosis

Verify that port 8080 is listening : netstat -tulnp | grep :8080 Install net-tools if netstat is missing.

Test MySQL port connectivity :

telnet 192.168.1.200 3306 || echo "MySQL port not reachable"

If telnet is unavailable, use nc -zv 192.168.1.200 3306.

Trace route to a remote gateway :

traceroute 10.0.0.1 | grep -E "^\s*[0-9]+" | awk '{print "Hop:"$1" IP:"$2" RTT:"$3}'

Install traceroute if not present; use -T for TCP‑based probing when ICMP is blocked.

Top 10 client IPs on port 80 :

ss -antp | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -10

ss

is faster than netstat on busy servers.

Permissions & Security Auditing

Find world‑writable regular files : find /data/app -perm 777 -type f 2>/dev/null After identification, change permissions (e.g., chmod 644 for data files, chmod 755 for executables).

Inspect ACL entries on a directory : getfacl /data/app | grep -E "user:|group:" Grant additional rights with setfacl -m u:username:rwx /data/app.

List last login times for all users : lastlog | grep -v "Never logged in" Use lastlog -u username to query a single user.

Search root bash history for dangerous commands :

grep -E "rm -rf|chmod|chown" /root/.bash_history | tail -20

Enable timestamped history by adding export HISTTIMEFORMAT="%F %T " to /etc/profile and re‑sourcing.

Core principles for building command pipelines

Combine commands as needed; use pipelines ( |) to pass output between tools.

Test with safe commands ( ls, cat) before executing destructive actions.

Remember key options: -name, -size, -mtime for find; -F, $n for awk.

Leverage faster utilities ( ss over netstat, zgrep for compressed logs).