Episode 012 – tail

The tail command is used to print out the last 10 lines of a file to standard out. This command is a staple in a system administrator’s tool kit and especially handy when monitoring log files. The basic syntax is:

tail some_file

Which will output the last 10 lines of the file. You can alter then number of lines with the -n, or –lines=, flag:

tail -n20 some_file
tail –lines=20 some_file

In some versions of tail you can get away with specifying the number of lines from the end with just a “-” and number:

tail -30 some_file

Instead of working backwards with the -n command you can specify a “+” and some number to start from that number and list the contents to the end:

tail -n+30 some_file

This will display the contents of some_file from line 30 to the end of the file.

You can specify bytes instead of line numbers using the -c or –bytes flag. Like -n you can specify +## where it will start from byte ## and display to the end:

tail -c30 some_file
tail –bytes=30 some_file
tail -c+30 some_file

The bytes flag has a multiplier option which is one of the following:

  • b = bytes – 512 bytes
  • kB = 1000*B
  • K = 1024*B
  • MB = 1000*kB
  • M = 1024*K
  • GB = 1000MB
  • G = 1024*M
  • TB = 1000*GB
  • T = 1024*G
  • PB = 1000*TB
  • P = 1024*T
  • EB = 1000*PB
  • E = 1024*P
  • ZB = 1000*EB
  • Z = 1024*E
  • YB = 1000*ZB
  • Y = 1024*Z

You can specify more than one file to the tail command and it will insert headers between each file that it outputs. The header will contain the file name:

example of tail command with headers

You can suppress the output of the header information with the -q, –quiet, or –silent flag:

tail with headers suppressed

Probably the most helpful option is -f or –follow which allows you to output the contents of a file as they are being written. This is especially handy in monitoring log files:

tail -f /var/log/httpd/host.log

This will start a tail session outputting the last 10 lines of the host.log file and continuing to output anything that is written to the host.log as it happens. The –follow flag takes one two options:

  • –follow=name
  • –follow=descriptor (default, equivalent to -f or –follow — you do not need to specify this)

The default behaviour of tail -f (–follow=descriptor) is to follow the file if the name of the file changes. For example, if you are monitoring a log and the log file is rotated, the tail command would follow the name change. This is may not be the desired result you would be looking for as the the log file you are now monitoring is no longer recieving the updates, the new log file is. In a case like this you would want to use the –follow=name:

tail –follow=name /var/log/httpd/host.log

If host.log is rotated tail will continue to follow host.log instead of following the rotation of host.log to the new log name. It is possible that tail may have a problem opening this file so if you notice tail fails to continue output of the file you may need the –retry switch:

tail –follow=name –retry /var/log/httpd/host.log

This will keep trying to open the host.log file after the original file has been moved and may have become inaccessible for a time. Alternatively you can just use the -F flag which is equivalent to –follow=name –retry:

tail -F /var/log/httpd/host.log

The –retry option can be used without the –follow option. If a file becomes inaccessible it will keep trying instead of quitting tail.

If the file you are monitoring is altered in a way that it becomes smaller tail will alert you to this with a message that the “file has become truncated.” Tail will then continue to provide the output of the file at the new point.

Tail has a sleep interval that works only with tail compiled without inotify support. Inotify is a feature of the Linux kernel since around 2005 with kernal 2.6.13. Inotify monitors changes to the filesystem and alerts applications. Thus, any changes to a file and tail will automatically update. Prior to inotify, tail would poll the file every second. You could change this behavior with the -s or –sleep-interval flag:

tail -f -s3 /var/log/http/host.log

Again, -s option no longer works with most modern versions of tail as it is compiled with Inotify. You can try but it will do nothing.

You can tell tail -f to terminate after a specific process id terminates with the –pid= flag:

tail -f –pid=2357 /var/log/http/host.log

When the process with the process id of 2357 terminates the tail command will also terminate. You can delay pid checks with the -s option and instead of controlling the output interval -s will control how often the process check is made:

tail -f -s10 –pid=2357 /var/log/http/host.log

This will tail host.log continuously until pid 2357 is terminated and it will check whether pid 2357 has terminated every 10 seconds.

Tail is a very useful tool especially to system administrators and should be a staple in your toolbox.



If the video is not clear enough view it off the YouTube website and select size 2 or full screen.  Or download the video in Ogg Theora format:

Thank you very much!


This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Episode 012 – tail

Leave a Reply

Your email address will not be published.