The tail command in Linux is used to display the last part (or "tail") of a file. By default, it shows the last 10 lines of a file, but you can customize the output by using various options. It is especially useful for monitoring log files in real-time or viewing the most recent content of large files.

Basic Syntax:

tail [options] [file(s)]

• options: Various flags to modify the behavior of the command.
• file(s): One or more files to be displayed.

Common Use Cases for tail:

1. Display the Last 10 Lines of a File:

   • By default, tail shows the last 10 lines of a file.

   tail /var/log/syslog
   

   • Output (example):

     Oct  6 09:22:16 servername systemd[1]: Started Daily apt upgrade and clean activities.
     Oct  6 09:22:16 servername systemd[1]: Starting Daily apt upgrade and clean activities...
     Oct  6 09:22:16 servername systemd[1]: Started Network Service.
     Oct  6 09:22:17 servername sshd[23456]: Accepted password for user from 192.168.1.1 port 22 ssh2
     Oct  6 09:22:17 servername sshd[23456]: Received disconnect from 192.168.1.1 port 22:11: Bye Bye
     

2. Display the Last N Lines of a File:

   • Use the -n option to specify the number of lines to display. For example, to show the last 20 lines:

   tail -n 20 /var/log/syslog
   

   • Output:

     Oct  6 09:22:16 servername systemd[1]: Started Network Service.
     Oct  6 09:22:17 servername systemd[1]: Starting Network Service...
     ...
     

3. Follow the File in Real-Time:

   • The -f option allows you to "follow" a file in real-time. This is useful for monitoring log files as they are updated.

   tail -f /var/log/syslog
   

   • Output (real-time):

     Oct  6 09:22:16 servername systemd[1]: Starting Daily apt upgrade and clean activities...
     Oct  6 09:22:17 servername systemd[1]: Started Daily apt upgrade and clean activities.
     Oct  6 09:22:18 servername systemd[1]: Starting cron job for user...
     

4. Follow Multiple Files:

   • You can follow multiple files at once by specifying multiple file names:

   tail -f /var/log/syslog /var/log/auth.log
   

   • Output:

     ==> /var/log/syslog <==
     Oct  6 09:22:16 servername systemd[1]: Starting Daily apt upgrade and clean activities...
     
     ==> /var/log/auth.log <==
     Oct  6 09:22:16 servername sshd[23567]: Accepted password for user from 192.168.1.1 port 22 ssh2
     

5. Display the Last Lines of Multiple Files:

   • You can also use tail to display the last N lines from multiple files. Use the -n option followed by the file names:

   tail -n 20 /var/log/syslog /var/log/auth.log
   

6. Show Last Few Bytes of a File:

   • The -c option allows you to specify the number of bytes instead of lines.

   tail -c 100 /var/log/syslog
   

   • This will show the last 100 bytes of the file.

7. Exit after a Specific Number of Lines:

   • You can use the -n option in combination with the -f option to limit the number of lines tail should display before exiting.

   tail -n 50 -f /var/log/syslog
   

   • This will display the last 50 lines of the file and continue to follow new lines as they are written to the file.

Key Options:

1. -n <num>: Display the last <num> lines. E.g., tail -n 20 file.log.
2. -f: Follow the file as it grows in real-time.
3. -c <num>: Show the last <num> bytes instead of lines.
4. -q: Suppress headers when following multiple files.
5. -v: Print file headers with each file when following multiple files.

Example Use Case: Real-time Log Monitoring

To monitor a system log file like /var/log/syslog in real-time and watch for new entries:

tail -f /var/log/syslog

If an error or issue occurs, you will see it in real-time, making it useful for troubleshooting.

Conclusion

The tail command is a powerful and versatile tool for viewing the end of a file in Linux. Whether you need to check the latest system logs, follow logs as they update, or simply view the last few lines of a file, tail is an essential tool for administrators and developers.