Watch Linux Logs in Real Time with Tail Command

Introduction

The tail command is a powerful tool for monitoring Linux logs in real time. It allows you to quickly view the last few lines of a log file, or to follow the log file as it grows. This can be useful for troubleshooting system issues, or for monitoring system activity. In this article, we will discuss how to use the tail command to view and monitor Linux logs in real time.

Watch Linux Logs in Real Time with Tail Command

The tail command is a Linux utility used to view the end of a text file or stream in real time. It is commonly used to monitor log files for errors or other important events.

To view the last 10 lines of a log file in real time, use the following command:

tail -f /path/to/logfile

This will display the last 10 lines of the log file and then wait for new lines to be added. As new lines are added, they will be displayed in the terminal.

To view the last 100 lines of a log file in real time, use the following command:

tail -f -n 100 /path/to/logfile

This will display the last 100 lines of the log file and then wait for new lines to be added. As new lines are added, they will be displayed in the terminal.

The tail command can also be used to monitor multiple log files at once. To do this, use the following command:

tail -f /path/to/logfile1 /path/to/logfile2

This will display the last 10 lines of both log files and then wait for new lines to be added. As new lines are added, they will be displayed in the terminal.

As Linux users, we often work with long-running background Linux processes, which are called daemons or services. Some of the common examples of the services are Secure Shell (sshd), Network Manager (networkd), Volume Manager (LVM), Cron, and the list goes on.

Many times we need to monitor the logs of these services to debug the system issues. However, one of the main challenges is that these services generate a lot of logs and most of the time going through these logs makes it cumbersome, this is where we can use the tail command.

tail command is a command-line utility, similar to the head command that reads a file and prints the last 10 lines (content) of one or more files to standard output.

In this practical guide, we will learn about the tail command. By the end of this guide, Linux command-line users will be able to use the tail command effectively.

tail Command Syntax

The syntax of the tail command is similar to other Linux commands:

$ tail [OPTIONS] [FILE-1] [FILE-2] ...

1. Print Last 10 Lines Of File in Linux

By default, the tail command prints the last 10 lines of the given file as shown.

$ tail /var/log/secure


Apr  2 14:17:24 Jassweb sshd[201178]: Disconnected from user tecmint 192.168.0.162 port 59774
Apr  2 14:17:24 Jassweb sshd[201165]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 14:29:12 Jassweb sshd[201366]: Accepted password for tecmint from 192.168.0.162 port 56378 ssh2
Apr  2 14:29:12 Jassweb systemd[201371]: pam_unix(systemd-user:session): session opened for user tecmint(uid=1002) by (uid=0)
Apr  2 14:29:12 Jassweb sshd[201366]: pam_unix(sshd:session): session opened for user tecmint(uid=1002) by (uid=0)
Apr  2 14:29:12 Jassweb sshd[201382]: Received disconnect from 192.168.0.162 port 56378:11: disconnected by user
Apr  2 14:29:12 Jassweb sshd[201382]: Disconnected from user tecmint 192.168.0.162 port 56378
Apr  2 14:29:12 Jassweb sshd[201366]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 15:12:55 Jassweb sshd[202049]: Accepted password for root from 192.168.0.162 port 53334 ssh2
Apr  2 15:12:55 Jassweb sshd[202049]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

Here, we can see that the above command shows the last ten lines from the /var/log/secure file.

2. Print Last N Lines of File in Linux

In the last example, the command prints the last 10 lines of the given file. However, we can use the -n option which allows us to limit the number of lines to be printed on the screen as shown.

$ tail -n 3 /var/log/secure

Apr  2 14:29:12 Jassweb sshd[201366]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 15:12:55 Jassweb sshd[202049]: Accepted password for root from 192.168.0.162 port 53334 ssh2
Apr  2 15:12:55 Jassweb sshd[202049]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

In this example, we can see that now the command shows the last three lines only instead of the ten lines.

3. Ignore First N Lines of a File in Linux

Here, we can use the plus (+) symbol with the -n option, which allows us to control the starting point from the given file.

To understand this, let’s use the +5 value to start the output from the 5th line:

$ tail -n +5 /var/log/secure

Apr  2 14:17:24 Jassweb sshd[201178]: Disconnected from user tecmint 192.168.0.162 port 59774
Apr  2 14:17:24 Jassweb sshd[201165]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 14:29:12 Jassweb sshd[201366]: Accepted password for tecmint from 192.168.0.162 port 56378 ssh2
Apr  2 14:29:12 Jassweb systemd[201371]: pam_unix(systemd-user:session): session opened for user tecmint(uid=1002) by (uid=0)
Apr  2 14:29:12 Jassweb sshd[201366]: pam_unix(sshd:session): session opened for user tecmint(uid=1002) by (uid=0)
Apr  2 14:29:12 Jassweb sshd[201382]: Received disconnect from 192.168.0.162 port 56378:11: disconnected by user
Apr  2 14:29:12 Jassweb sshd[201382]: Disconnected from user tecmint 192.168.0.162 port 56378
Apr  2 14:29:12 Jassweb sshd[201366]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 15:12:55 Jassweb sshd[202049]: Accepted password for root from 192.168.0.162 port 53334 ssh2
Apr  2 15:12:55 Jassweb sshd[202049]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

4. Show Last N Characters of the File

Similar to lines, we can also use the command to display the last N characters of the file using the -c option as shown below:

$ tail -c 7 /var/log/secure

(uid=0)

In this example, we can see that the command shows the last seven ASCII characters of the given file.

5. Remove First N Characters of File

Similarly, we can use the plus symbol (+) with the -c option to skip the first N character. So let’s skip the first line of the file using the below command:

$ tail -c +5 /var/log/secure

Apr  2 03:02:59 Jassweb sudo[162801]: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/dnf install R
Apr  2 03:02:59 Jassweb sudo[162801]: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)
Apr  2 03:03:02 Jassweb sudo[162801]: pam_unix(sudo:session): session closed for user root
Apr  2 03:11:17 Jassweb groupadd[163602]: group added to /etc/group: name=avahi, GID=70
Apr  2 03:11:18 Jassweb groupadd[163602]: group added to /etc/gshadow: name=avahi
Apr  2 03:11:18 Jassweb groupadd[163602]: new group: name=avahi, GID=70
Apr  2 03:11:19 Jassweb useradd[163610]: new user: name=avahi, UID=70, GID=70, home=/var/run/avahi-daemon, shell=/sbin/nologin, from=none
Apr  2 03:13:41 Jassweb groupadd[163704]: group added to /etc/group: name=colord, GID=986
Apr  2 03:13:41 Jassweb groupadd[163704]: group added to /etc/gshadow: name=colord

Here, we can see that the command shows all the lines except the first line.

6. Show File Name in Header

We can instruct the tail command to display the current file name as a display header, which comes in handy while working with multiple files.

So, let’s use the -v option to enable the display header:

$ tail -n 3 -v /var/log/secure

==>/var/log/secure <==
Apr  2 14:29:12 Jassweb sshd[201366]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 15:12:55 Jassweb sshd[202049]: Accepted password for root from 192.168.0.162 port 53334 ssh2
Apr  2 15:12:55 Jassweb sshd[202049]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

In the above output, ==> /var/log/secure <== represents the display header.

7. Show File Name as Header in Multiple Files

Just like any other file-processing command, we can also use multiple files with the tail command. In such cases, the display header gets used to separate the file contents.

$ tail -n 3 -v /var/log/secure /var/log/secure-20230402

==> /var/log/secure <==
Apr  2 14:29:12 Jassweb sshd[201366]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 15:12:55 Jassweb sshd[202049]: Accepted password for root from 192.168.0.162 port 53334 ssh2
Apr  2 15:12:55 Jassweb sshd[202049]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

==> /var/log/secure-20230402 <==
Mar 31 03:50:53 Jassweb groupadd[156163]: new group: name=docker, GID=987
Mar 31 04:46:11 Jassweb sshd[159403]: Accepted password for root from 192.168.0.162 port 46480 ssh2
Mar 31 04:46:11 Jassweb sshd[159403]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

In the above output, we can see the display header for each file.

8. How to Disable Display Header in File

In the previous example, we saw that the command enables the display header while working with multiple files. However, we can suppress this default behavior using the -q option.

$ tail -q -n 3 /var/log/secure /var/log/secure-20230402

Apr  2 14:29:12 Jassweb sshd[201366]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 15:12:55 Jassweb sshd[202049]: Accepted password for root from 192.168.0.162 port 53334 ssh2
Apr  2 15:12:55 Jassweb sshd[202049]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar 31 03:50:53 Jassweb groupadd[156163]: new group: name=docker, GID=987
Mar 31 04:46:11 Jassweb sshd[159403]: Accepted password for root from 192.168.0.162 port 46480 ssh2
Mar 31 04:46:11 Jassweb sshd[159403]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

Here, we can see that now the command displays the file contents one after another without any display header.

9. How to Watch a File for Changes

So far we saw that the tail command exits once it processes the required number of lines or characters. However, sometimes we want to view the newly generated logs as well.

In such cases, we can use the -f option with the command, which allows us to monitor the file for changes in a real-time.

To understand this, first, let’s execute the below command in the first terminal:

$ tail -f /var/log/messages


Apr  2 15:13:28 Jassweb NetworkManager[741]:   [1680462808.8441] policy: set-hostname: current hostname was changed outside NetworkManager: 'Jassweb'
Apr  2 15:13:28 Jassweb systemd[1]: Starting Network Manager Script Dispatcher Service...
Apr  2 15:13:28 Jassweb systemd[1]: Started Network Manager Script Dispatcher Service.
Apr  2 15:13:37 Jassweb arpwatch[11001]: rename arp.dat -> arp.dat-: Operation not permitted
Apr  2 15:13:38 Jassweb systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.
Apr  2 15:13:58 Jassweb systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Apr  2 15:18:03 Jassweb systemd[1]: Starting dnf makecache...
Apr  2 15:18:03 Jassweb dnf[202235]: Metadata cache refreshed recently.
Apr  2 15:18:03 Jassweb systemd[1]: dnf-makecache.service: Deactivated successfully.
Apr  2 15:18:03 Jassweb systemd[1]: Finished dnf makecache.

Here, we can see that the command is waiting infinitely after displaying the last ten lines:

Next, let’s open another terminal and append some text to the numbers-2.txt file:

$ echo "View Logs in Real-Time" >> /var/log/messages

Now, let’s switch to the first terminal to view the newly added text:

$ tail -f /var/log/messages

Apr  2 15:13:28 Jassweb NetworkManager[741]:   [1680462808.8441] policy: set-hostname: current hostname was changed outside NetworkManager: 'Jassweb'
Apr  2 15:13:28 Jassweb systemd[1]: Starting Network Manager Script Dispatcher Service...
Apr  2 15:13:28 Jassweb systemd[1]: Started Network Manager Script Dispatcher Service.
Apr  2 15:13:37 Jassweb arpwatch[11001]: rename arp.dat -> arp.dat-: Operation not permitted
Apr  2 15:13:38 Jassweb systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.
Apr  2 15:13:58 Jassweb systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Apr  2 15:18:03 Jassweb systemd[1]: Starting dnf makecache...
Apr  2 15:18:03 Jassweb dnf[202235]: Metadata cache refreshed recently.
Apr  2 15:18:03 Jassweb systemd[1]: dnf-makecache.service: Deactivated successfully.
Apr  2 15:18:03 Jassweb systemd[1]: Finished dnf makecache.
View Logs in Real-Time

Here, we can see that the tail command shows the newly added text.

Do you know of any other best example of the tail command in Linux? Let us know your views in the comments below.

Watch Linux Logs in Real Time with Tail Command

The tail command is a powerful tool for monitoring log files in Linux. It allows you to view the last few lines of a file in real time, as they are written to the file. This is useful for monitoring system logs, application logs, and other log files.

The tail command is part of the GNU Core Utilities package, which is installed by default on most Linux distributions. To use the tail command, open a terminal window and type the following command:

tail -f /path/to/log/file

The -f option tells tail to keep watching the log file for changes. As new lines are added to the log file, they will be displayed in the terminal window. To stop tail from watching the log file, press Ctrl+C.

The tail command also supports a number of other options. For example, you can use the -n option to specify the number of lines to display. For example, the following command will display the last 10 lines of the log file:

tail -n 10 /path/to/log/file

You can also use the -q option to suppress the output of the file name and line number. This can be useful if you are monitoring multiple log files at once.

The tail command is a powerful tool for monitoring log files in Linux. It allows you to view the last few lines of a file in real time, as they are written to the file. This can be useful for troubleshooting problems or monitoring system activity.

Jaspreet Singh Ghuman

Jaspreet Singh Ghuman

Jassweb.com/

Passionate Professional Blogger, Freelancer, WordPress Enthusiast, Digital Marketer, Web Developer, Server Operator, Networking Expert. Empowering online presence with diverse skills.

jassweb logo

Jassweb always keeps its services up-to-date with the latest trends in the market, providing its customers all over the world with high-end and easily extensible internet, intranet, and extranet products.

Contact
Jassweb, Rai Chak, Punjab, India. 143518