Comprehensive Guide to the tail Command in Linux

The tail command is a powerful and versatile utility in Linux and Unix-like systems used to display the last part of files or piped data. It is commonly used for monitoring logs, debugging, and analyzing output in real-time. This guide provides a comprehensive overview of the tail command, covering its syntax, options, practical examples, and advanced use cases, tailored for both beginners and advanced users as of August 15, 2025. The information is based on the latest GNU coreutils version (9.5) and common Linux distributions like Ubuntu 24.04.

What is the tail Command?

The tail command outputs the last few lines or bytes of one or more files, making it ideal for tasks like:

• Viewing the most recent entries in log files (e.g., /var/log/syslog).
• Monitoring real-time updates to files (e.g., server logs).
• Extracting specific portions of large files or data streams.
• Debugging scripts or applications by observing output.

By default, tail displays the last 10 lines of a file, but its behavior can be customized with various options.

Prerequisites

• Operating System: Linux or Unix-like system (e.g., Ubuntu, CentOS, macOS).
• Access: A terminal with tail installed (part of GNU coreutils, pre-installed on most Linux distributions).
• Permissions: Read access to the files you want to process.
• Optional: Basic familiarity with command-line navigation and file handling.

To verify tail is installed:

tail --version

Syntax of the tail Command

The general syntax is:

tail [OPTION]... [FILE]...

• OPTION: Flags that modify tail’s behavior (e.g., -n, -f).
• FILE: One or more files to process. If omitted, tail reads from standard input (e.g., piped data).

Common Options

Below are the most frequently used options, based on the GNU coreutils tail documentation:

Option	Description
-n N, --lines=N	Output the last N lines (default: 10). Use +N to start from the Nth line.
-c N, --bytes=N	Output the last N bytes. Use +N to start from the Nth byte.
-f, --follow	Monitor the file for new data in real-time (useful for logs).
--follow=name	Follow the file by name, even if it’s renamed (e.g., during log rotation).
--follow=descriptor	Follow the file descriptor (default for -f).
-q, --quiet, --silent	Suppress headers when processing multiple files.
-v, --verbose	Show headers with file names for multiple files.
--pid=PID	Terminate monitoring after process PID ends (used with -f).
-s N, --sleep-interval=N	Set sleep interval (seconds) for -f (default: 1).
--max-unchanged-stats=N	Reopen file after N iterations of no changes (used with --follow=name).
--retry	Retry opening inaccessible files.
-F	Equivalent to --follow=name --retry.
--help	Display help information.
--version	Show version information.

Note: Prefixing numbers with + (e.g., +5) means “start from that line/byte onward” instead of “last N lines/bytes.”

Practical Examples

Below are common and advanced use cases for the tail command, with examples.

1. Display the Last 10 Lines of a File

View the last 10 lines of a log file:

tail /var/log/syslog

Output (example):

Aug 15 17:10:01 ubuntu systemd[1]: Started Session 123 of user ubuntu.
Aug 15 17:10:02 ubuntu kernel: [ 1234.567890] Network up.
...

2. Specify a Custom Number of Lines

Show the last 20 lines:

tail -n 20 /var/log/syslog

Start from the 5th line to the end:

tail -n +5 /var/log/syslog

3. Display the Last N Bytes

Show the last 100 bytes:

tail -c 100 /var/log/syslog

Start from the 50th byte:

tail -c +50 /var/log/syslog

4. Monitor a File in Real-Time

Follow a log file for new entries (ideal for monitoring):

tail -f /var/log/apache2/access.log

Output (updates as new requests arrive):

192.168.1.10 - - [15/Aug/2025:17:15:01 +0300] "GET /index.html HTTP/1.1" 200 1234

Press Ctrl+C to stop.

5. Monitor with File Name Persistence

Use --follow=name to handle log rotation:

tail -F /var/log/syslog

This continues monitoring even if the file is renamed (e.g., syslog.1).

6. View Multiple Files

Display the last 10 lines of multiple files with headers:

tail -v /var/log/syslog /var/log/auth.log

Output:

==> /var/log/syslog <==
Aug 15 17:10:01 ubuntu systemd[1]: Started Session 123.
...

==> /var/log/auth.log <==
Aug 15 17:10:02 ubuntu sshd[1234]: Accepted password for ubuntu.
...

Suppress headers with -q:

tail -q /var/log/syslog /var/log/auth.log

7. Combine with Other Commands

Pipe output to grep to filter specific entries:

tail -n 50 /var/log/syslog | grep "error"

Monitor real-time errors:

tail -f /var/log/syslog | grep "error"

Sort the last 20 lines:

tail -n 20 /var/log/syslog | sort

8. Monitor Until a Process Ends

Follow a log until a specific process (e.g., PID 1234) terminates:

tail -f --pid=1234 /var/log/app.log

9. Handle Large Files

View the last 1 MB of a large file:

tail -c 1M largefile.txt

10. Retry Inaccessible Files

Keep trying to open a file that’s temporarily unavailable:

tail -F /var/log/newlog.log

11. Adjust Sleep Interval for Monitoring

Reduce polling frequency to every 5 seconds:

tail -f -s 5 /var/log/syslog

12. Use in Scripts

Check the last line of a file in a script:

#!/bin/bash
last_line=$(tail -n 1 /var/log/app.log)
if [[ "$last_line" == *"ERROR"* ]]; then
    echo "Error detected in log!"
fi

13. Display Line Numbers

Combine with nl to number the last lines:

tail -n 5 /var/log/syslog | nl

Output:

     1  Aug 15 17:10:01 ubuntu systemd[1]: Started Session 123.
     2  Aug 15 17:10:02 ubuntu kernel: [ 1234.567890] Network up.
...

Advanced Use Cases

• Monitor Multiple Logs Simultaneously: Use with multitail (third-party tool) or tail -f on multiple files:

  tail -f /var/log/syslog /var/log/auth.log

• Extract Specific Data: Combine with awk or sed:

  tail -n 100 /var/log/access.log | awk '{print $1}'  # Show client IPs

• Real-Time Log Analysis: Pipe to jq for JSON logs:

  tail -f /var/log/app.json.log | jq '.message'

• Handle Compressed Files: Use with zcat for .gz files:

  zcat /var/log/syslog.1.gz | tail -n 20

• Monitor System Resources: Watch /proc/stat for CPU usage:

  tail -f /proc/stat

Troubleshooting Common Issues

• No Output: Ensure the file exists and you have read permissions (ls -l file). Use sudo if needed:

  sudo tail /var/log/syslog

• “tail: cannot open ‘file’ for reading”: Check if the file is accessible or use --retry:

  tail --retry file.log

• Stuck Monitoring: If -f hangs, verify the file is being written to or reduce sleep interval (-s).
• Truncated Output: For large lines, use -c to display bytes or check terminal buffer settings.
• Log Rotation Issues: Use -F instead of -f to handle renamed files.
• High CPU Usage: Increase sleep interval (-s) or reduce monitoring frequency:

“`bash
tail -f -s 10 /var/log/syslog

For detailed debugging, check `man tail` or logs with:

bash
strace tail -f /var/log/syslog
“`

Performance Considerations

• Large Files: tail is optimized for large files, reading only the end without loading the entire file.
• Real-Time Monitoring: Use -f sparingly on high-traffic logs to avoid resource strain.
• Piping: Minimize pipe complexity to reduce CPU overhead (e.g., avoid excessive grep chains).
• Alternatives: For advanced monitoring, consider less +F, multitail, or log analysis tools like logwatch.

Security Considerations

• Permissions: Restrict access to sensitive logs (e.g., /var/log/auth.log) to prevent unauthorized reading.
• Monitoring Risks: Avoid running tail -f as root unnecessarily; use a non-privileged user.
• Data Exposure: Be cautious when piping sensitive log data to other commands or scripts.
• Log Rotation: Ensure --follow=name is used for rotated logs to maintain continuity.

Alternatives to tail

• less: Use less +F file for interactive monitoring with scrolling.
• more: Basic alternative for viewing file ends (less flexible).
• head: Opposite of tail, shows the first part of a file.
• multitail: Advanced tool for monitoring multiple files with color-coding.
• jq: For parsing JSON logs.
• logrotate + tail: Combine with log rotation for seamless monitoring.

Conclusion

The tail command is an essential tool for Linux users, offering flexibility for log monitoring, debugging, and data extraction. Its options like -n, -f, and -c make it versatile for tasks ranging from viewing recent logs to real-time analysis. By mastering tail’s features and combining it with tools like grep, awk, or jq, you can streamline system administration and development workflows.

For further exploration, refer to man tail or info coreutils 'tail invocation' in your terminal, or experiment in a test environment. Community forums like Stack Overflow or LinuxQuestions.org are great for troubleshooting specific scenarios.

Note: This guide is based on GNU coreutils 9.5 and Linux distributions like Ubuntu 24.04 as of August 15, 2025. Always verify options with tail --help for your system’s version.