How to Use tail Command in Linux with Examples

The tail command in Linux is designed to display the last part of a file, typically the last 10 lines. This function may seem modest at first glance, but its applications are vast and varied, especially in system administration and development environments. Whether you’re monitoring log files for errors, debugging application output, or simply viewing the latest entries in a data file, the tail command is an indispensable tool in your Linux toolkit.

This blog post delves into the intricacies of the tail command, exploring its syntax, options, and practical applications.

Syntax and Basic Command Structure

The basic syntax of the tail command is straightforward:

tail [OPTION]... [FILE]...
  • OPTION: Specifies the options or flags to modify the behavior of the tail command.
  • FILE: Represents the file(s) from which the tail command will display the last lines.

If no file is specified, tail reads from the standard input.

Common Options of the tail Command

OptionDescription
-nDisplays the specified number of lines from the end of the file.
-fFollows the file in real-time, displaying new lines as they are added.
–pidStops following the file when the specified process ID (PID) terminates.
-qSuppresses headers when displaying the contents of multiple files.
-cDisplays the specified number of bytes from the end of the file.
-sSleeps for the specified number of seconds between iterations when following a file.
–max-unchanged-statsSpecifies the number of iterations with no file size change before stopping when following with -f and no file growth is detected.
-vVerbose mode. Always outputs headers giving file names.
–follow=nameSimilar to -f, but follows the file name instead of the file descriptor, useful if the file is renamed.
–retryKeeps trying to open a file even when it is not available initially, used with –follow=name.

Examples tail Command Usage

Explore practical examples of the tail command, from viewing the last lines of log files to real-time monitoring and customizing output.

Listing Files in /var/log/

To view the contents of the /var/log/ directory in Linux, use the ls command followed by the directory path:

ls /var/log/

This command lists all files and directories within the /var/log/ directory. It is useful for checking available log files, system events, and other critical system information stored in this directory.

Displaying the Last 10 Lines of a File

The most common usage of the tail command is to display the last 10 lines of a file. This is also the default behavior when no options are provided:

tail /var/log/syslog

This command will output the last 10 lines of the /var/log/syslog file, which is typically used for system logging.

Viewing the End of a Log File

In system administration, it is often necessary to monitor the latest entries in log files to troubleshoot issues or verify system activities. The tail command makes this task simple:

tail /var/log/auth.log

This command will display the last 10 lines of the auth.log file, providing a snapshot of recent authentication events.

Viewing Multiple Files

The tail command can also handle multiple files simultaneously. When multiple files are specified, tail will display the last 10 lines of each file, prefixed with the file name. For example:

tail /var/log/syslog /var/log/auth.log

This command outputs the last 10 lines of both syslog and auth.log files, making it easier to compare and correlate entries across different log files.

Specifying the Number of Lines -n Option

The -n option allows users to specify the exact number of lines to display from the end of a file. This option is particularly useful when the default output of 10 lines is not sufficient.

Displaying the last 20 lines of a file:

tail -n 20 /var/log/syslog

Displaying the last 5 lines of a file:

tail -n 5 /var/log/auth.log

Displaying lines from a specific offset from the end:

tail -n +15 /var/log/syslog

This command will display all lines starting from the 15th line from the end of the file.

Real-time Monitoring with -f Option

One of the most powerful features of the tail command is its ability to follow a file in real-time. The -f option allows you to monitor a file as it is updated, which is particularly useful for observing live log files:

tail -f /var/log/syslog

This command will display the last 10 lines of the /var/log/syslog file and continue to output new lines as they are added. This real-time monitoring capability is invaluable for system administrators needing to track ongoing events or troubleshoot live issues.

Terminate After a Process ID Dies -pid Option

The --pid option is used in conjunction with the -f option to stop monitoring a file when a specified process ID (PID) terminates. This is useful for monitoring log files related to specific processes.

Monitoring a log file until a process terminates:

tail -f --pid=1234 /var/log/syslog

This command will stop following the syslog file when the process with PID 1234 exits.

Suppressing Headers -q Option

When tail is used to display the contents of multiple files, it typically prefixes each output with the file name. The -q (quiet) option suppresses these headers, providing a cleaner output.

tail -q /var/log/syslog /var/log/auth.log

This command outputs the last 10 lines of both syslog and auth.log files without file name headers.

Specifying the Number of Bytes -c Option

The -c option allows users to specify the number of bytes to display from the end of a file, rather than the number of lines. This is useful for binary files or when precise byte counts are needed.

Displaying the last 50 bytes of a file:

tail -c 50 /var/log/syslog

Combining tail with Other Commands

One of the most powerful aspects of the tail command is its ability to be combined with other Linux commands using pipes. This combination enables more sophisticated data processing and filtering, enhancing the functionality of tail.

Filtering Output with grep

tail -f /var/log/syslog | grep "error"

This command monitors the syslog file in real-time and filters the output to show only lines containing the word “error.”

Formatting Output with awk

tail -n 20 /var/log/syslog | awk '{print $1, $2, $5}'

This command displays the last 20 lines of the syslog file and formats the output to show only the first, second, and fifth columns, which might correspond to the timestamp and message content, respectively.

Manipulating Data with sed

tail -n 50 /var/log/syslog | sed 's/error/ERROR/g'

This command displays the last 50 lines of the syslog file and replaces every instance of “error” with “ERROR” for better visibility.

Conclusion

The tail command is a powerful and flexible tool in the Linux command-line arsenal. Its ability to display and monitor the end of files, combined with a variety of options, makes it indispensable for system administration and development tasks. By mastering the tail command, you can enhance your efficiency in monitoring and troubleshooting Linux systems.

Share your love

Newsletter Updates

Stay updated with our latest guides and tutorials about Linux.

Leave a Reply

Your email address will not be published. Required fields are marked *