Best 4 Steps for Tail Command in Linux for Logs With Examples
In this guide, we will explore the Tail Command in Linux for Logs. In Linux environments, the tail command stands out as a versatile tool applicable to various tasks. Its primary strength lies in monitoring and analyzing files, particularly log files. By default, tail displays the last 10 lines of a file, but it offers a range of customization options. This adaptability makes it an excellent choice for real-time log file monitoring.
You can follow the steps below to see how to use Tail Command in Linux for Logs and other text files. To complete this guide, you must have access to your server as a root or non-root user with sudo privileges. You can visit the Orcacore website and check our initial server setup guides for different Linux distros like AlmaLinux , Debian, Ubuntu, etc.
Step 1 – Basic Usage of Tail Command in Linux
As mentioned, the tail command, by default, shows the last 10 lines of a specified file. The basic syntax for using Tail Command in Linux for Logs is as follows:
tail <desired-file>For example, to display the last 10 lines of the /var/log/auth.log file, you would use the following command:
tail /var/log/auth.logThis will print the last 10 lines of the auth.log file, which commonly contains information about user logins and authentication attempts.
Step 2 – Modify the Number of Tail Command Lines
To view more or fewer lines than the default 10, you can use the -n option with the tail command. The syntax looks like this:
tail -n <number-of-lines> <desired-file>For instance, to check the last 50 lines of the auth.log file, you would use:
tail -n 50 /var/log/auth.logYou can adjust the number as needed.
Furthermore, you can also display lines starting from a specific line number. For example, the following command will display the log lines starting from line 50:
tail -n+50 /var/log/auth.logStep 3 – Use Tail Command in Real Time
One of the most powerful features of the tail command is its ability to display changes to a file in real-time. This is particularly useful for monitoring logs as they are being written. To achieve this, use the -f option. This is a key benefit of using Tail Command in Linux for Logs.
tail -f <desired-file>For example, to monitor the auth.log file in real-time and see new login attempts as they occur, use:
tail -f /var/log/auth.logTo stop the real-time monitoring, press CTRL+C.
Step 4 – Display Number of Bytes with Tail Command
The tail command can also display a specific number of bytes from the end of a file. To do this, use the -c option followed by the desired number of bytes. For example:
tail -c 20 /var/log/auth.logThis will display the last 20 bytes of the auth.log file.
Similarly, you can print the results starting from a specific byte number:
tail -c+20 /var/log/auth.logThis will display the contents of the file starting from the 20th byte.
Note: You can combine the tail command with other tools like grep to filter the results. For example:
tail /var/log/auth.log | grep 198.50.100.0This command will display only the lines from the auth.log file that contain the IP address 198.50.100.0.
For more options of Tail Command in Linux for Logs, you can use the tail help command:
tail --helpThe output will show a list of available options and their descriptions:
Usage: tail [OPTION]... [FILE]...
Print the last 10 lines of each FILE to standard output.
With more than one FILE, precede each with a header giving the file name.
With no FILE, or when FILE is -, read standard input.
Mandatory arguments to long options are mandatory for short options too.
-c, --bytes=[+]NUM output the last NUM bytes; or use -c +NUM to
output starting with byte NUM of each file
-f, --follow[={name|descriptor}]
output appended data as the file grows;
an absent option argument means 'descriptor'
-F same as --follow=name --retry
-n, --lines=[+]NUM output the last NUM lines, instead of the last 10;
or use -n +NUM to output starting with line NUM
--max-unchanged-stats=N
with --follow=name, reopen a FILE which has not
changed size after N (default 5) iterations
to see if it has been unlinked or renamed
(this is the usual case of rotated log files);
with inotify, this option is rarely useful
--pid=PID with -f, terminate after process ID, PID dies
-q, --quiet, --silent never output headers giving file names
--retry keep trying to open a file if it is inaccessible
-s, --sleep-interval=N with -f, sleep for approximately N seconds
(default 1.0) between iterations;
with inotify and --pid=P, check process P at
least once every N seconds
-v, --verbose always output headers giving file names
-z, --zero-terminated line delimiter is NUL, not newline
--help display this help and exit
--version output version information and exitConclusion
By now, you have learned how to use the Tail Command in Linux for Logs with various examples. This is a fundamental Linux command that every user should know, as it is useful for troubleshooting, monitoring, and analyzing system behavior.
Also, you may like these articles:
4 Ways to Find Which Process Listening on a Port on Debian 11
10 Useful ncat Commands on AlmaLinux
Stress Test and Benchmark CPU Performance Debian
Alternative Solutions for Log Monitoring
While the tail command is a powerful tool for log monitoring, other approaches can provide additional functionality or suit different use cases. Here are two alternative solutions:
1. Using less with the +F option
The less command is a versatile pager that allows you to view files one screen at a time. It also has a "follow" mode similar to tail -f.
Explanation:
The less +F <file> command opens the specified file in less. The +F option tells less to start in "follow" mode. In this mode, less displays the end of the file and waits for new data to be appended. When new data is added to the file, less automatically scrolls to display the new data. This is similar to the functionality of tail -f.
Code Example:
To monitor the /var/log/syslog file using less in follow mode:
less +F /var/log/syslogTo exit the follow mode and return to the interactive less environment, press Ctrl+C. You can then use the standard less commands (e.g., G to go to the end of the file, /pattern to search) to navigate the log. To return to follow mode, press F.
Advantages of less +F over tail -f:
- Navigation: While in follow mode, you can temporarily exit it with
Ctrl+Cto navigate the log file and search for specific patterns usingless‘s powerful search capabilities. This is not possible withtail -fwithout interrupting the monitoring process. - File Handling:
lessis generally more robust in handling file rotations and other changes to the log file. - Features:
lessoffers other features, such as highlighting search terms, thattaillacks.
2. Using multitail
multitail allows you to monitor multiple files simultaneously in a single terminal window. This can be extremely useful when you need to correlate events across different log files.
Explanation:
multitail takes a list of files as arguments and displays each file in its own window within the terminal. You can scroll through each window independently and apply filtering and highlighting rules to each file.
Code Example:
To monitor both /var/log/auth.log and /var/log/syslog simultaneously:
multitail /var/log/auth.log /var/log/syslogmultitail also supports various options for customizing the display, such as highlighting specific patterns, changing the colors, and filtering lines based on regular expressions. For instance, to highlight the word "error" in red in the /var/log/syslog file:
multitail -e error -cs red /var/log/syslogAdvantages of multitail:
- Simultaneous Monitoring: Monitor multiple log files in a single terminal.
- Customization: Highly customizable display with color highlighting, filtering, and regular expression support.
- Real-time Updates: Supports real-time updates for all monitored files.
By exploring these alternative solutions, you can choose the log monitoring approach that best suits your specific needs and preferences.
