The tail command is a simple command that by default prints the last 10 lines of a file to standard output (stdout). The most common use for tail is to follow, or continually read a log file on the command line. It is so common that you will often here Linux admins say things like "tail the logs", meaning watch the lines being written to a log file in real time. In this article we will discuss using the tail command. We will start with the basics and move on to more advanced options like dealing with rotating log files and watching process id's.
Basic Usage of Tail Command
If you use tail against a file without any options it will print the last 10 lines of the file.
$ tail access.log 86.120.237.60 - - [15/May/2019:21:39:27 +0200] "GET /... 86.120.237.60 - - [15/May/2019:21:39:27 +0200] "GET /... 86.120.237.60 - - [15/May/2019:21:39:27 +0200] "GET /... 86.120.237.60 - - [15/May/2019:21:39:28 +0200] "GET /... 86.120.237.60 - - [15/May/2019:21:39:28 +0200] "GET /... 86.120.237.60 - - [15/May/2019:21:39:28 +0200] "GET /... 86.120.237.60 - - [15/May/2019:21:39:28 +0200] "GET /... 86.120.237.60 - - [15/May/2019:21:39:28 +0200] "GET /... 86.120.237.60 - - [15/May/2019:21:39:28 +0200] "GET /... 157.55.39.165 - - [15/May/2019:22:36:10 +0200] "GET /...
Specify the Number of Lines to Print
With the -n (--lines) option, you can specify the number of lines you want to print out. In the below example, we will print only 3 lines.
$ tail -n 3 access.log 86.120.237.60 - - [15/May/2019:21:39:28 +0200] "GET /... 86.120.237.60 - - [15/May/2019:21:39:28 +0200] "GET /... 157.55.39.165 - - [15/May/2019:22:36:10 +0200] "GET /...
Printing Output Starting with Specific Line Number
The -n option can also be used to print starting with a specific line number. For example, the access log has 124,644 lines in it.
$ wc -l access.log 124644 access.log
We can start the printing at line number 124,000 by using the plus sign ( + ) to specify the line we wish to start output.
$ tail -n +124000 access.log 37.230.112.99 - - [15/May/2019:19:02:28 +0200] "HEAD... 37.230.112.99 - - [15/May/2019:19:02:28 +0200] "HEAD... 37.230.112.99 - - [15/May/2019:19:02:28 +0200] "HEAD... 37.230.112.99 - - [15/May/2019:19:02:28 +0200] "HEAD... 37.230.112.99 - - [15/May/2019:19:02:28 +0200] "HEAD... ...OUTPUT TRUNCATED...
Continually Print New Lines in Real Time (Follow)
As we discussed in the introduction, a common use for tail is to continually watch a file. You can use the -f (follow) option to print each line added to the file in real time.
Example:
tail -f access.log
The tail command will keep outputting lines until stopped. If nothing is getting written to the file, it will just sit there on a blank line waiting for more input. You must use CTRL+C (SIGINT) to terminate the process.
NOTE: If you are "tailing" a log and it rotates, or otherwise changes the pipe will be broken.
Watch Rotating Logs with Tail Command
Rotating logs are a challenge if you want to continuously watch in real time. If you are tailing a file and it gets rotated, the output will stop as if the input to the file has stopped. This is where the -F (--follow=name --retry) option comes in.
Using -F is actually a combination of two options. The first is the follow by name option which tells tail to track the file by name instead of inode or descriptor. The second being the retry option which keeps trying to open the file if it is inaccessible.
NOTE: This option uses a capital F instead of the lowercase f used by follow.
In the above example we use a simple script and some basic commands to simulate a log be written to and rotated. In the other terminal window we are using tail with the -F option to see how it functions.
Show / Don't Show Headers
You can use the -q (--quiet) or -v (--verbose) options to show or not show the header information of the file you are accessing with the tail command.
Using Verbose Mode to Show Filename
Simply add the -v option like so:
$ tail -v -n 3 access.log ==> access.log <== 95.29.198.15 - - [15/May/2015:22:32:10 +0100] "GET... 95.29.198.15 - - [15/May/2015:22:32:11 +0100] "POST... 109.224.11.34 - - [15/May/2015:18:32:56 +0100] "GET...
Using Quiet Mode to Suppress Filename
This is the default behavior, so adding the -q option is not necessary. But you can explicitly set it like so:
$ tail -q -n 3 access.log 95.29.198.15 - - [15/May/2015:22:32:10 +0100] "GET... 95.29.198.15 - - [15/May/2015:22:32:11 +0100] "POST... 109.224.11.34 - - [15/May/2015:18:32:56 +0100] "GET...
Terminate Tail Command After Process ID dies
As we stated above, tail will just sit there and continue to wait even if a process stops writing to the file. Using the --pid option, you can specify a process id for tail to check. If the watched pid dies, tail will exit.
To demonstrate this, I will use a short script to generate simulated log entries into a file called httpd.log. I will start the script and send it to the background, then echo the process id. Next I will start the tail command using the --pid option and specify the process id of the script. When I terminate the script the tail will see the pid (process id) die, then exit.
Example command:
tail --pid 4548 -f httpd.log
Conclusion
The Linux tail command is a powerful tool that every system administrator needs. Logs are used for everything from troubleshooting issues to forensic analysis. In the article we demonstrated some of the basic functions of tail that you see every day. We also touched on some more advanced and unknown features of the tail command.
If you enjoyed this article please follow us on Twitter and Facebook and Subscribe to our YouTube Channel.
Resources
Leave a Reply Cancel reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
1 Comment
Join Our Newsletter
Categories
- Bash Scripting (17)
- Basic Commands (51)
- Featured (7)
- Just for Fun (5)
- Linux Quick Tips (98)
- Linux Tutorials (65)
- Miscellaneous (15)
- Network Tools (6)
- Reviews (2)
- Security (32)
This is great post i learned a lot thank you!