LinuxDojo - How-To: Using the tail Command

How-To: Using the tail Command on Linux and FreeBSD

The tail command is a powerful utility in Linux and FreeBSD for displaying the last part of files, commonly used for monitoring log files in real time or extracting recent data. This guide covers the syntax, options, and practical examples for using tail effectively on both systems.

Overview

tail outputs the last few lines or bytes of a file to the terminal. It’s especially useful for viewing the end of large files, such as system logs, without loading the entire file into an editor. On Linux and FreeBSD, tail is part of the core utilities and behaves similarly, with minor differences in default settings and options.

Syntax

The basic syntax for tail is:

tail Syntax

tail [OPTION]... [FILE]...

OPTION: Flags to modify behavior (e.g., -n, -f).
FILE: One or more files to process. If omitted, tail reads from standard input.

Common Options

Here are the most frequently used options for tail, supported on both Linux and FreeBSD:

-f: Follow the file, printing new lines as they are appended (ideal for real-time log monitoring).
-n NUM: Display the last NUM lines. Use +NUM to start from the NUMth line.
-c NUM: Output the last NUM bytes instead of lines.
-q: Quiet mode; suppress headers when processing multiple files.
-v: Verbose mode; show headers with filenames when processing multiple files.
--pid=PID: With -f, terminate when process PID dies (Linux only).

Basic Examples

1. Display the Last 10 Lines of a File

By default, tail shows the last 10 lines of a file. For example, to view the end of a system log:

View Last 10 Lines

tail /var/log/syslog

On FreeBSD, use /var/log/messages instead:

FreeBSD System Log

tail /var/log/messages

2. Show a Specific Number of Lines

Use -n to specify how many lines to display. For example, to show the last 20 lines:

Last 20 Lines

tail -n 20 /var/log/syslog

To start from the 50th line to the end, use +50:

Start from Line 50

tail -n +50 /var/log/syslog

3. Monitor a File in Real Time

The -f option makes tail follow a file, displaying new lines as they’re added. This is useful for monitoring logs:

Real-Time Log Monitoring

tail -f /var/log/apache2/access.log

On FreeBSD, for Apache logs:

FreeBSD Apache Log

tail -f /var/log/httpd-access.log

Press Ctrl+C to stop following.

Advanced Usage

1. Monitor Multiple Files

tail can process multiple files, showing headers for each unless suppressed with -q. For example:

Monitor Two Logs

tail -f /var/log/syslog /var/log/auth.log

Output includes headers like ==> /var/log/syslog <==. To suppress headers:

Suppress Headers

tail -q -f /var/log/syslog /var/log/auth.log

2. Combine with Other Commands

tail works well in pipelines. For example, to filter recent error messages from a log using grep:

Filter Errors

tail -n 100 /var/log/syslog | grep "error"

To monitor a log in real time and highlight errors:

Real-Time Error Monitoring

tail -f /var/log/syslog | grep --color=auto "error"

3. Truncate a File While Preserving the End

You can use tail to keep the last portion of a file and truncate the rest. For example, to keep the last 1000 lines of a log:

Truncate Log

tail -n 1000 /var/log/syslog > /tmp/syslog.temp && mv /tmp/syslog.temp /var/log/syslog

Caution: Ensure you have write permissions and back up the file before truncating.

Linux vs. FreeBSD Differences

While tail is largely identical on Linux and FreeBSD, note these differences:

Default Behavior: Both display 10 lines by default, but FreeBSD’s tail may have slightly different buffering behavior with -f.
--pid Option: Linux supports --pid=PID to stop following when a process dies; FreeBSD does not.
File Paths: Log file locations differ. Linux uses /var/log/syslog or /var/log/messages, while FreeBSD uses /var/log/messages.

To ensure real-time updates on FreeBSD, you may need to adjust buffering with tools like stdbuf (as shown in your IRC streaming guide):

FreeBSD Real-Time with stdbuf

stdbuf -oL tail -f /var/log/messages

Practical Scenarios

Here are common use cases for tail in system administration:

Monitor Web Server Access: Watch real-time HTTP requests to debug a web application:
Web Server Access Log
```
tail -f /var/log/apache2/access.log
```
Debug Authentication Issues: Check recent failed login attempts:
Authentication Log
```
tail -n 50 /var/log/auth.log | grep "Failed"
```
Stream Logs to Another Tool: Pipe recent logs to a custom script or network tool, as in your IRC streaming setup:
Stream Logs
```
tail -f /var/log/syslog | nc remote_host 12345
```

Troubleshooting Tips

If tail isn’t working as expected:

No Output: Verify the file exists and you have read permissions (ls -l).
Delayed Updates with -f: On Linux, try tail -F to follow despite file rotation. On FreeBSD, use stdbuf -oL for line buffering.
Wrong File: Confirm the log file path (e.g., /var/log/syslog vs. /var/log/messages).

Summary

The tail command is an essential tool for system administrators and developers on Linux and FreeBSD. Whether you’re monitoring logs in real time, extracting recent data, or integrating with other tools, tail offers flexibility and efficiency. Experiment with the examples above to master its usage in your environment.