Best 4 Steps for Tail Command in Linux for Logs With Examples

In this guide, we will explore the Tail Command in Linux for Logs. In Linux systems, the tail command is a versatile tool used for various tasks, most notably monitoring and analyzing files. By default, the tail command displays the last 10 lines of a file. However, you can customize it to suit your specific needs. This flexibility makes the tail command an excellent choice for monitoring log files and other text-based data.

You can follow the steps below to learn how to use Tail Command in Linux for Logs and other text files effectively. To complete this guide, you will need access to your Linux server, either as a root user or a non-root user with sudo privileges. You can find initial server setup guides for various Linux distributions like AlmaLinux, Debian, Ubuntu, etc., on the Orcacore website.

Step 1 – Basic Usage of Tail Command in Linux

As mentioned, the tail command displays the last 10 lines of a file by default. The basic syntax of the Tail Command in Linux for Logs is:

tail <desired-file>

For example, to display the last 10 lines of the /var/log/auth.log file, use the following command:

tail /var/log/auth.log

This command will print the last 10 lines of the auth.log file, which typically contains information about user logins and the authentication mechanisms used.

Step 2 – Modify the Number of Tail Command Lines

If you need to examine more or fewer lines of a log file, you can modify the number of lines displayed using the -n option with the tail command. The syntax is as follows:

tail -n <number-of-lines> <desired-file>

For instance, to check the last 50 lines of the auth.log file, you would use the command:

tail -n 50 /var/log/auth.log

You can adjust the number of lines to suit your specific requirements.

Furthermore, you can display lines starting from a specific line number. The following command will display the log lines starting from line 50:

tail -n +50 /var/log/auth.log

Step 3 – Use Tail Command in Real Time

This step demonstrates how to use the Tail Command in Linux for Logs to monitor changes in real-time. To achieve this, use the -f option with the tail command.

tail -f <desired-file>

For example, to monitor the auth.log file for real-time access login attempts, use the following command:

tail -f /var/log/auth.log

This command will continuously display new lines added to the auth.log file. To stop the process, press CTRL+C.

Step 4 – Display Number of Bytes with Tail Command

In this step for Tail Command in Linux for Logs, you can use the tail command to display a specific number of bytes from the end of a file. This is achieved using the -c option, followed by the desired number of bytes. For example:

tail -c 20 /var/log/auth.log

This command will display the last 20 bytes of the auth.log file.

You can also print the results starting from a specific byte number:

tail -c+20 /var/log/auth.log

Note: The tail command can be combined with other tools, such as grep, to filter the results. For example:

tail /var/log/auth.log | grep 198.50.100.0

This command will display only the lines from auth.log that include the IP address 198.50.100.0.

For a comprehensive list of options available with the tail command, use the help command:

tail --help

The output will display the following:

**Output**
Usage: tail [OPTION]... [FILE]...
Print the last 10 lines of each FILE to standard output.
With more than one FILE, precede each with a header giving the file name.

With no FILE, or when FILE is -, read standard input.

Mandatory arguments to long options are mandatory for short options too.
  -c, --bytes=[+]NUM       output the last NUM bytes; or use -c +NUM to
                             output starting with byte NUM of each file
  -f, --follow[={name|descriptor}]
                           output appended data as the file grows;
                             an absent option argument means 'descriptor'
  -F                       same as --follow=name --retry
  -n, --lines=[+]NUM       output the last NUM lines, instead of the last 10;
                             or use -n +NUM to output starting with line NUM
      --max-unchanged-stats=N
                           with --follow=name, reopen a FILE which has not
                             changed size after N (default 5) iterations
                             to see if it has been unlinked or renamed
                             (this is the usual case of rotated log files);
                             with inotify, this option is rarely useful
      --pid=PID            with -f, terminate after process ID, PID dies
  -q, --quiet, --silent    never output headers giving file names
      --retry              keep trying to open a file if it is inaccessible
  -s, --sleep-interval=N   with -f, sleep for approximately N seconds
                             (default 1.0) between iterations;
                             with inotify and --pid=P, check process P at
                             least once every N seconds
  -v, --verbose            always output headers giving file names
  -z, --zero-terminated    line delimiter is NUL, not newline
      --help        display this help and exit
      --version     output version information and exit

Conclusion

By now, you should have a solid understanding of how to use the Tail Command in Linux for Logs with practical examples. This command is a fundamental tool that every Linux user should be familiar with.

Alternative Solutions for Log Monitoring

While tail is a powerful and readily available tool, several other methods can be used for log monitoring in Linux. Here are two alternative approaches:

1. Using less with the +F option

The less command is a versatile pager that allows you to view files one screen at a time. It also offers a "follow" mode similar to tail -f.

Explanation:

The less +F command opens the specified file in less. The +F option instructs less to start in "follow" mode. This means that less will display the end of the file and continuously check for new data appended to it, similar to tail -f. The advantage of using less is that you can easily switch between following the file and navigating through it using less‘s navigation keys (e.g., Page Up, Page Down, arrow keys). Pressing Ctrl+C will stop following the file and return you to the normal less navigation mode. To resume following, press F.

Code Example:

less +F /var/log/syslog

This command will open the syslog file in less and start following it in real-time. You can navigate the existing log data and then press F to follow any new entries.

2. Using multitail

multitail is a tool specifically designed for monitoring multiple log files simultaneously in a single terminal window.

Explanation:

multitail allows you to view multiple files at the same time, each in its own window within the terminal. It supports color-coding, filtering, and various other features to make log analysis easier. This is particularly useful when you need to correlate events across different log files. multitail can also follow files in real-time, similar to tail -f.

Code Example:

First, you may need to install multitail if it’s not already installed on your system. For Debian/Ubuntu:

sudo apt-get update
sudo apt-get install multitail

For CentOS/RHEL:

sudo yum install epel-release
sudo yum install multitail

Then, to monitor two log files simultaneously:

multitail /var/log/auth.log /var/log/syslog

This command will open a terminal window with two panes, one displaying the auth.log file and the other displaying the syslog file, both updated in real-time. You can add more files to the command to monitor even more logs at once. multitail offers a variety of options for customization, such as color-coding and filtering, which can be explored through its documentation. This approach provides a more comprehensive view when needing to correlate log data across different sources.