抉择
一,什么是xzgrep
https://man.he.net/man1/xzgrep
xzgrep - 在压缩文件中搜索正则表达式
xzgrep 对文件调用 grep(1),这些文件可能是未压缩的,也可能是用 xz(1)、lzma(1)、gzip(1)、bzip2(1)、lzop(1) 或 zstd(1) 压缩的。
所有指定的选项都会直接传递给grep(1)命令,
如果未指定文件,则标准输入会在必要时进行解压,然后输入到grep(1)中。从标准输入读取时,不支持gzip(1)、bzip2(1)、lzop(1)和zstd(1)压缩文件。
如果xzgrep以xzegrep或xzfgrep的形式被调用,则将使用egrep(1)或fgrep(1)来代替grep(1)。这同样适用于lzgrep、lzegrep和lzfgrep这些名称,它们是为了与LZMA工具的向后兼容性而提供的。
环境变量 GREP 如果设置了GREP环境变量,xzgrep将使用它,而不是grep(1)、egrep(1)或fgrep(1)。
另见:grep(1)、xz(1)、gzip(1)、bzip2(1)、lzop(1)、zstd(1)、zgrep(1)
二,参数
xzgrep [grep_options] [-e] pattern file...xzegrep ...xzfgrep ...lzgrep ...lzegrep ...lzfgrep ...
三,例子
先准备测试环境
[root@localhost log]# xz -k /var/log/*.log[root@localhost log]# ls /var/log/*.xz/var/log/boot.log.xz /var/log/mysqld.log.xz /var/log/vmware-vmsvc.log.xz /var/log/yum.log.xz
1、多条件“或”匹配(最常用),在一个压缩日志中同时查找多个不同的关键词(例如同时查找 502 和 504 错误码,或者多个不同的设备ID),可以使用 | 符号:
[root@localhost log]# xzegrep "postconf|ssh" /var/log/messages.xz Jun 23 07:00:02 localhost systemd: PID file /var/run/sshd.pid not readable (yet?) after start.Jun 23 07:00:02 localhost aliasesdb: /usr/sbin/postconf: relocation error: /usr/sbin/postconf: symbol mysql_real_connect, version libmysqlclient_18 not defined in file libmysqlclient.so.18 with link time referenceJun 23 07:00:02 localhost postfix: /usr/sbin/postconf: relocation error: /usr/sbin/postconf: symbol mysql_real_connect, version libmysqlclient_18 not defined in file libmysqlclient.so.18 with link time referenceJun 24 19:35:41 localhost aliasesdb: /usr/sbin/postconf: relocation error: /usr/sbin/postconf: symbol mysql_real_connect, version libmysqlclient_18 not defined in file libmysqlclient.so.18 with link time referenceJun 24 19:35:41 localhost systemd: PID file /var/run/sshd.pid not readable (yet?) after start.Jun 24 19:35:42 localhost postfix: /usr/sbin/postconf: relocation error: /usr/sbin/postconf: symbol mysql_real_connect, version libmysqlclient_18 not defined in file libmysqlclient.so.18 with link time referenceJun 29 00:37:50 localhost systemd: PID file /var/run/sshd.pid not readable (yet?) after start.Jun 29 00:37:50 localhost aliasesdb: /usr/sbin/postconf: relocation error: /usr/sbin/postconf: symbol mysql_real_connect, version libmysqlclient_18 not defined in file libmysqlclient.so.18 with link time referenceJun 29 00:37:50 localhost postfix: /usr/sbin/postconf: relocation error: /usr/sbin/postconf: symbol mysql_real_connect, version libmysqlclient_18 not defined in file libmysqlclient.so.18 with link time reference
2、结合常用 grep 参数,xzegrep 完全支持 grep 的常用选项,可以组合使用以提高排查效率:
[root@localhost log]# xzegrep -i "postconf|ssh" /var/log/messages.xz Jun 23 07:00:02 localhost systemd: Starting OpenSSH server daemon...Jun 23 07:00:02 localhost systemd: PID file /var/run/sshd.pid not readable (yet?) after start.Jun 23 07:00:02 localhost systemd: Started OpenSSH server daemon.
显示行号 (-n) + 匹配前后上下文 (-C),在排查问题时,只看报错行往往不够,加上 -C 3 可以显示匹配行及其前后各3行的内容:
[root@localhost log]# xzegrep -n -C 3 "postconf|ssh" /var/log/messages.xz 1670-Jun 23 07:00:02 localhost systemd: Starting Crash recovery kernel arming...1671-Jun 23 07:00:02 localhost systemd: Starting System Logging Service...1672-Jun 23 07:00:02 localhost systemd: Starting Postfix Mail Transport Agent...1673:Jun 23 07:00:02 localhost systemd: PID file /var/run/sshd.pid not readable (yet?) after start.1674-Jun 23 07:00:02 localhost systemd: Started OpenSSH server daemon.1675-Jun 23 07:00:02 localhost systemd: Started System Logging Service.1676:Jun 23 07:00:02 localhost aliasesdb: /usr/sbin/postconf: relocation error: /usr/sbin/postconf: symbol mysql_real_connect, version libmysqlclient_18 not defined in file libmysqlclient.so.18 with link time reference1677-Jun 23 07:00:02 localhost aliasesdb: postalias: relocation error: postalias: symbol mysql_real_connect, version libmysqlclient_18 not defined in file libmysqlclient.so.18 with link time reference1678-Jun 23 07:00:02 localhost postmaster: 2026-06-23 07:00:02.415 CST [941] LOG: listening on IPv4 address "0.0.0.0", port 54321679-Jun 23 07:00:02 localhost postmaster: 2026-06-23 07:00:02.415 CST [941] LOG: listening on IPv6 address "::", port 54321680-Jun 23 07:00:02 localhost postmaster: 2026-06-23 07:00:02.416 CST [941] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"1681-Jun 23 07:00:02 localhost postmaster: 2026-06-23 07:00:02.417 CST [941] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"1682:Jun 23 07:00:02 localhost postfix: /usr/sbin/postconf: relocation error: /usr/sbin/postconf: symbol mysql_real_connect, version libmysqlclient_18 not defined in file libmysqlclient.so.18 with link time reference1683-Jun 23 07:00:02 localhost systemd: postfix.service: control process exited, code=exited status=11684-Jun 23 07:00:02 localhost systemd: Failed to start Postfix Mail Transport Agent.1685-Jun 23 07:00:02 localhost systemd: Unit postfix.service entered failed state.--3316-Jun 24 19:35:41 localhost systemd: Starting Network is Online.3317-Jun 24 19:35:41 localhost systemd: Starting Crash recovery kernel arming...
反向匹配 (-v) + 排除干扰,过滤掉注释行和空行,只看有效内容:
[root@localhost log]# xzegrep -v "^$|^#" /usr/local/nginx/conf/nginx.confworker_processes 1;events { worker_connections 1024;}
3、精确匹配与边界锚定
匹配整个单词 (-w):防止匹配到包含该词的其他长词。例如只搜 port 而不匹配 report
[root@localhost log]# xzegrep -w "port" /var/log/messages.xz Jun 21 18:19:05 localhost dhclient[2277]: DHCPREQUEST on ens33 to 192.168.67.254 port 67 (xid=0x1f55758c)Jun 21 18:33:19 localhost dhclient[2277]: DHCPREQUEST on ens33 to 192.168.67.254 port 67 (xid=0x1f55758c)
锚定行首 (^) 或行尾 ($):例如查找所有以特定 IP 开头的请求记录:
xzegrep "^192\.168\.1\.100" /var/log/nginx/access.log.xz
4、复杂扩展正则表达式
匹配特定时间段:例如匹配 00:00 到 00:59 的所有日志
xzegrep "Jun 29 00:[0-5][0-9]:" /var/log/messages.xz
匹配特定格式(如IP地址):
[root@localhost log]# xzegrep "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /var/log/secure.xzJun 23 07:00:02 localhost sshd[943]: Server listening on 0.0.0.0 port 22.Jun 23 07:00:20 localhost sshd[2137]: Accepted password for root from 192.168.67.1 port 42784 ssh2Jun 23 07:00:27 localhost sshd[2160]: Accepted password for root from 192.168.67.1 port 42792 ssh2Jun 24 19:35:41 localhost sshd[955]: Server listening on 0.0.0.0 port 22.Jun 24 19:35:57 localhost sshd[2143]: Accepted password for root from 192.168.67.1 port 9281 ssh2Jun 24 19:36:03 localhost sshd[2165]: Accepted password for root from 192.168.67.1 port 9290 ssh2Jun 24 19:38:48 localhost sshd[2203]: Accepted password for root from 192.168.67.1 port 9530 ssh2Jun 29 00:37:50 localhost sshd[946]: Server listening on 0.0.0.0 port 22.Jun 29 00:38:14 localhost sshd[2162]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.67.1 user=rootJun 29 00:38:17 localhost sshd[2162]: Failed password for root from 192.168.67.1 port 19612 ssh2Jun 29 00:38:21 localhost sshd[2162]: Accepted password for root from 192.168.67.1 port 19612 ssh2
四,补充
- 通配符批量搜索:如果目录下有多个
.xz 文件,可以直接使用通配符:xzegrep "keyword" *.xz。 - 命令等价性:
xzegrep "pattern" file.xz 和 xzgrep -E "pattern" file.xz 的效果是完全一样的。 - 性能注意:正则表达式(尤其是复杂的扩展正则)比普通字符串搜索更消耗 CPU。如果只需查找固定字符串,使用
xzfgrep 或 xzgrep -F 速度会更快。
五,总结
xzegrep 主要用于转存储日志的快速查看(不用解压后查看)
实际上xzegrep 是一个封装脚本(Wrapper)。当你在终端执行 xzegrep "pattern" file.xz 时,它在后台自动执行了类似 xzcat file.xz | grep -E "pattern" 的操作。它利用管道将解压后的文本流直接传递给 grep,整个过程在内存中瞬间完成,不会在硬盘上生成任何临时文件。
补充提示
除了 xzegrep,Linux 还为其他压缩格式提供了类似的便捷工具:
- 针对
.gz 文件:使用 zgrep 或 zegrep - 针对
.bz2 文件:使用 bzgrep 或 bzegrep
总结来说,xzegrep 是日常运维排查历史压缩日志的“神器”,它完美平衡了存储空间与检索效率。
最后的最后(Last but not least),欢迎交流:
关注公众号留言,或者在下方直接留言: