tail, unbuffer and trap are 3 things which are useful together.

tail usually stops reading if it receives SIGINT, which is created by pressing C-c.

C-c is useful to be pressed inside less to prevent it from reading so you can navigate what has entered so far.

unbuffer -p disables output buffering for grep.

You can also use sed -u instead of grep but then you have to consider escaping.

1
sed -u -n "/$(echo "$path" | bs '/')/p"

Here is a script that puts these things together so you can browse less without killing tail.

audit-file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
#!/bin/bash
export TTY

( hs "$(basename "$0")" "$@" "#" "<==" "$(ps -o comm= $PPID)" 0</dev/null ) &>/dev/null

path="$1"

msudo auditctl -w "$path" -p wa

# This is needed to prevent tail from dying
# C-c appears to kill tail
trap '' INT

# sudo tail -F /var/log/audit/audit.log | unbuffer -p grep "$path" | tless -S +F

sudo tail -F /var/log/audit/audit.log | sed -u -n "/$(echo "$path" | bs '/')/p" | tless -S +F

Example of usage

1
audit-file $HOME/programs/zsh/dotfiles/.zsh_history

asciinema recording