lnav: A Better Terminal Log Viewer for SREs

When an incident is unfolding, teams often fall back to tail, grep, and less. Those tools are still useful, but they break down when logs span many files, contain JSON, or need quick time-based correlation. lnav gives operators a smarter terminal-native way to inspect logs without shipping data into a separate system first.

What is lnav?

lnav is an open-source log file navigator for the terminal. It can read multiple files and directories, detect log formats automatically, decompress archives, merge entries by timestamp, and keep following files as they grow. That makes it especially useful for SSH-based production debugging, container host analysis, and post-incident review on systems where you want answers immediately.

The tool also goes beyond simple viewing. It can pretty-print JSON logs, highlight patterns, jump between errors, render histograms over time, and expose logs through SQLite so you can query events with familiar SQL.

Key Features

• Time-Ordered Merging: View logs from multiple files in a single chronological stream
• Format Awareness: Auto-detects common log formats and handles JSON lines cleanly
• Fast Navigation: Jump between warnings and errors, search with regex, and highlight patterns
• SQL for Logs: Run SQLite queries against parsed log data during an investigation
• Archive and Follow Support: Open compressed logs and continue tailing live files

Installation

On macOS:

brew install lnav

On Linux, you can download a static binary from the latest release page.

If you want to build from source:

./configure
make
sudo make install

Usage

Point lnav at one or more files or directories and let it do the parsing:

lnav /var/log/syslog /var/log/nginx/

It also works well with journalctl:

journalctl -o json --output-fields=MESSAGE,PRIORITY,_PID,SYSLOG_IDENTIFIER,_SYSTEMD_UNIT | lnav

Inside the interface, you can search with /, jump between errors with e and E, pretty-print structured messages with P, and open a histogram view with i to spot spikes around incident windows.

Operational Tips

For SRE teams, lnav is a strong fit for first-response debugging and ad hoc forensics. Use it on bastion hosts, CI runners, or Kubernetes nodes when central logging is delayed or incomplete. If you already ship logs into an observability platform, lnav still earns a place in your toolkit because it shortens the gap between "something is wrong" and "I found the pattern."

The SQLite view is especially handy when you need quick answers from raw logs. Instead of writing one-off parsing scripts, you can inspect structured fields and narrow incidents interactively from the terminal.

Conclusion

lnav gives operators a faster way to inspect logs locally, especially when incidents demand speed and context. If your current workflow depends on juggling tail, grep, and temporary scripts, this is one of the simplest upgrades you can make. Explore the GitHub repository and try it on your next debugging session.

Looking for an AI-powered platform to help your SRE team? Akmatori helps teams automate incident response and infrastructure management. Backed by Gcore, we're building the future of intelligent operations.