9 Practical Examples of Tail Command in Linux

As Linux users, we often work with long-running background Linux processes, which are called daemons or services. Some of the common examples of the services are Secure Shell (sshd), Network Manager (networkd), Volume Manager (LVM), Cron, and the list goes on.

Many times we need to monitor the logs of these services to debug the system issues. However, one of the main challenges is that these services generate a lot of logs and most of the time going through these logs makes it cumbersome, this is where we can use the tail command.

tail command is a command-line utility, similar to the head command that reads a file and prints the last 10 lines (content) of one or more files to standard output.

In this practical guide, we will learn about the tail command. By the end of this guide, Linux command-line users will be able to use the tail command effectively.

tail Command Syntax

The syntax of the tail command is similar to other Linux commands:

$ tail [OPTIONS] [FILE-1] [FILE-2] ...

1. Print Last 10 Lines Of File in Linux

By default, the tail command prints the last 10 lines of the given file as shown.

$ tail /var/log/secure


Apr  2 14:17:24 TecMint sshd[201178]: Disconnected from user tecmint 192.168.0.162 port 59774
Apr  2 14:17:24 TecMint sshd[201165]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 14:29:12 TecMint sshd[201366]: Accepted password for tecmint from 192.168.0.162 port 56378 ssh2
Apr  2 14:29:12 TecMint systemd[201371]: pam_unix(systemd-user:session): session opened for user tecmint(uid=1002) by (uid=0)
Apr  2 14:29:12 TecMint sshd[201366]: pam_unix(sshd:session): session opened for user tecmint(uid=1002) by (uid=0)
Apr  2 14:29:12 TecMint sshd[201382]: Received disconnect from 192.168.0.162 port 56378:11: disconnected by user
Apr  2 14:29:12 TecMint sshd[201382]: Disconnected from user tecmint 192.168.0.162 port 56378
Apr  2 14:29:12 TecMint sshd[201366]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 15:12:55 TecMint sshd[202049]: Accepted password for root from 192.168.0.162 port 53334 ssh2
Apr  2 15:12:55 TecMint sshd[202049]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

Here, we can see that the above command shows the last ten lines from the /var/log/secure file.

2. Print Last N Lines of File in Linux

In the last example, the command prints the last 10 lines of the given file. However, we can use the -n option which allows us to limit the number of lines to be printed on the screen as shown.

$ tail -n 3 /var/log/secure

Apr  2 14:29:12 TecMint sshd[201366]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 15:12:55 TecMint sshd[202049]: Accepted password for root from 192.168.0.162 port 53334 ssh2
Apr  2 15:12:55 TecMint sshd[202049]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

In this example, we can see that now the command shows the last three lines only instead of the ten lines.

3. Ignore First N Lines of a File in Linux

Here, we can use the plus (+) symbol with the -n option, which allows us to control the starting point from the given file.

To understand this, let’s use the +5 value to start the output from the 5th line:

$ tail -n +5 /var/log/secure

Apr  2 14:17:24 TecMint sshd[201178]: Disconnected from user tecmint 192.168.0.162 port 59774
Apr  2 14:17:24 TecMint sshd[201165]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 14:29:12 TecMint sshd[201366]: Accepted password for tecmint from 192.168.0.162 port 56378 ssh2
Apr  2 14:29:12 TecMint systemd[201371]: pam_unix(systemd-user:session): session opened for user tecmint(uid=1002) by (uid=0)
Apr  2 14:29:12 TecMint sshd[201366]: pam_unix(sshd:session): session opened for user tecmint(uid=1002) by (uid=0)
Apr  2 14:29:12 TecMint sshd[201382]: Received disconnect from 192.168.0.162 port 56378:11: disconnected by user
Apr  2 14:29:12 TecMint sshd[201382]: Disconnected from user tecmint 192.168.0.162 port 56378
Apr  2 14:29:12 TecMint sshd[201366]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 15:12:55 TecMint sshd[202049]: Accepted password for root from 192.168.0.162 port 53334 ssh2
Apr  2 15:12:55 TecMint sshd[202049]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

4. Show Last N Characters of the File

Similar to lines, we can also use the command to display the last N characters of the file using the -c option as shown below:

$ tail -c 7 /var/log/secure

(uid=0)

In this example, we can see that the command shows the last seven ASCII characters of the given file.

5. Remove First N Characters of File

Similarly, we can use the plus symbol (+) with the -c option to skip the first N character. So let’s skip the first line of the file using the below command:

$ tail -c +5 /var/log/secure

Apr  2 03:02:59 TecMint sudo[162801]: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/dnf install R
Apr  2 03:02:59 TecMint sudo[162801]: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)
Apr  2 03:03:02 TecMint sudo[162801]: pam_unix(sudo:session): session closed for user root
Apr  2 03:11:17 TecMint groupadd[163602]: group added to /etc/group: name=avahi, GID=70
Apr  2 03:11:18 TecMint groupadd[163602]: group added to /etc/gshadow: name=avahi
Apr  2 03:11:18 TecMint groupadd[163602]: new group: name=avahi, GID=70
Apr  2 03:11:19 TecMint useradd[163610]: new user: name=avahi, UID=70, GID=70, home=/var/run/avahi-daemon, shell=/sbin/nologin, from=none
Apr  2 03:13:41 TecMint groupadd[163704]: group added to /etc/group: name=colord, GID=986
Apr  2 03:13:41 TecMint groupadd[163704]: group added to /etc/gshadow: name=colord

Here, we can see that the command shows all the lines except the first line.

6. Show File Name in Header

We can instruct the tail command to display the current file name as a display header, which comes in handy while working with multiple files.

So, let’s use the -v option to enable the display header:

$ tail -n 3 -v /var/log/secure

==>/var/log/secure <==
Apr  2 14:29:12 TecMint sshd[201366]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 15:12:55 TecMint sshd[202049]: Accepted password for root from 192.168.0.162 port 53334 ssh2
Apr  2 15:12:55 TecMint sshd[202049]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

In the above output, ==> /var/log/secure <== represents the display header.

7. Show File Name as Header in Multiple Files

Just like any other file-processing command, we can also use multiple files with the tail command. In such cases, the display header gets used to separate the file contents.

$ tail -n 3 -v /var/log/secure /var/log/secure-20230402

==> /var/log/secure <==
Apr  2 14:29:12 TecMint sshd[201366]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 15:12:55 TecMint sshd[202049]: Accepted password for root from 192.168.0.162 port 53334 ssh2
Apr  2 15:12:55 TecMint sshd[202049]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

==> /var/log/secure-20230402 <==
Mar 31 03:50:53 TecMint groupadd[156163]: new group: name=docker, GID=987
Mar 31 04:46:11 TecMint sshd[159403]: Accepted password for root from 192.168.0.162 port 46480 ssh2
Mar 31 04:46:11 TecMint sshd[159403]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

In the above output, we can see the display header for each file.

8. How to Disable Display Header in File

In the previous example, we saw that the command enables the display header while working with multiple files. However, we can suppress this default behavior using the -q option.

$ tail -q -n 3 /var/log/secure /var/log/secure-20230402

Apr  2 14:29:12 TecMint sshd[201366]: pam_unix(sshd:session): session closed for user tecmint
Apr  2 15:12:55 TecMint sshd[202049]: Accepted password for root from 192.168.0.162 port 53334 ssh2
Apr  2 15:12:55 TecMint sshd[202049]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar 31 03:50:53 TecMint groupadd[156163]: new group: name=docker, GID=987
Mar 31 04:46:11 TecMint sshd[159403]: Accepted password for root from 192.168.0.162 port 46480 ssh2
Mar 31 04:46:11 TecMint sshd[159403]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

Here, we can see that now the command displays the file contents one after another without any display header.

9. How to Watch a File for Changes

So far we saw that the tail command exits once it processes the required number of lines or characters. However, sometimes we want to view the newly generated logs as well.

In such cases, we can use the -f option with the command, which allows us to monitor the file for changes in a real-time.

To understand this, first, let’s execute the below command in the first terminal:

$ tail -f /var/log/messages


Apr  2 15:13:28 TecMint NetworkManager[741]:   [1680462808.8441] policy: set-hostname: current hostname was changed outside NetworkManager: 'TecMint'
Apr  2 15:13:28 TecMint systemd[1]: Starting Network Manager Script Dispatcher Service...
Apr  2 15:13:28 TecMint systemd[1]: Started Network Manager Script Dispatcher Service.
Apr  2 15:13:37 TecMint arpwatch[11001]: rename arp.dat -> arp.dat-: Operation not permitted
Apr  2 15:13:38 TecMint systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.
Apr  2 15:13:58 TecMint systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Apr  2 15:18:03 TecMint systemd[1]: Starting dnf makecache...
Apr  2 15:18:03 TecMint dnf[202235]: Metadata cache refreshed recently.
Apr  2 15:18:03 TecMint systemd[1]: dnf-makecache.service: Deactivated successfully.
Apr  2 15:18:03 TecMint systemd[1]: Finished dnf makecache.

Here, we can see that the command is waiting infinitely after displaying the last ten lines:

Next, let’s open another terminal and append some text to the numbers-2.txt file:

$ echo "View Logs in Real-Time" >> /var/log/messages

Now, let’s switch to the first terminal to view the newly added text:

$ tail -f /var/log/messages

Apr  2 15:13:28 TecMint NetworkManager[741]:   [1680462808.8441] policy: set-hostname: current hostname was changed outside NetworkManager: 'TecMint'
Apr  2 15:13:28 TecMint systemd[1]: Starting Network Manager Script Dispatcher Service...
Apr  2 15:13:28 TecMint systemd[1]: Started Network Manager Script Dispatcher Service.
Apr  2 15:13:37 TecMint arpwatch[11001]: rename arp.dat -> arp.dat-: Operation not permitted
Apr  2 15:13:38 TecMint systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.
Apr  2 15:13:58 TecMint systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Apr  2 15:18:03 TecMint systemd[1]: Starting dnf makecache...
Apr  2 15:18:03 TecMint dnf[202235]: Metadata cache refreshed recently.
Apr  2 15:18:03 TecMint systemd[1]: dnf-makecache.service: Deactivated successfully.
Apr  2 15:18:03 TecMint systemd[1]: Finished dnf makecache.
View Logs in Real-Time

Here, we can see that the tail command shows the newly added text.

Do you know of any other best example of the tail command in Linux? Let us know your views in the comments below.

If you read this far, tweet to the author to show them you care. Tweet a thanks
Narendra K
I'm an experienced and passionate software engineer with in-depth experience in Linux, Distributed systems, DevOps, and Cloud. My expertise lies in back-end web development, and the main languages in my tech stack are Java, Spring, Python, and Go. I’m a lifelong learner and an open-source enthusiast.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.