Updated 8 hours ago
Logs are time, frozen into text. The -f flag unfreezes them.
When you run tail -f, you're not reading a file—you're watching it grow. Each new line appears the moment it's written, transforming a static log into a live stream of system activity. This is how you see what's happening now, not what happened.
Basic Following
Follow a log file, seeing new lines as they appear:
The command shows the last 10 lines, then waits. Every new line written to the file appears immediately in your terminal. Press Ctrl+C to stop.
Run this in one terminal while working in another. Actions that generate log entries—starting services, making requests, triggering errors—appear instantly. Cause and effect, visible in real-time.
Controlling Initial Context
The last 10 lines might not be enough context. Show more:
Or show nothing—start with a blank slate and see only what happens next:
Following Multiple Files
Watch several logs at once:
Headers identify which file each line comes from:
Now you see how events correlate—a login in auth.log followed by service activity in syslog.
The Rotation Problem: -f vs -F
Here's something strange: tail -f follows the file descriptor, not the filename.
When log rotation happens—syslog becomes syslog.1 and a fresh syslog takes its place—tail -f keeps following the old file under its new name. It's loyal to the file it opened, not the name you gave it.
Use -F (capital) to follow by name instead:
Now tail checks periodically: "Is this still the same file?" When rotation occurs, it switches to the new file automatically. It also retries if the file doesn't exist yet—useful for logs that appear only when an application starts.
For production monitoring, always use -F. Otherwise, you'll watch a renamed file grow stale while the real action happens in the new one.
Filtering the Stream
Pipe to grep to see only what matters:
Add --line-buffered to grep for truly real-time output:
Without line buffering, grep collects output before displaying it—defeating the purpose of watching in real-time.
Chain filters to narrow further:
Highlight matches with color:
The --color=always flag preserves colors through pipes. The pattern matches either word.
Watching Web Server Logs
See requests as they arrive:
Watch for 404s specifically:
The spaces around 404 match the status code field, not random occurrences in URLs.
Follow error logs during troubleshooting:
Errors appear the instant they occur.
Monitoring Deployments
Deploy code in one terminal, watch logs in another:
See errors surface immediately as new code handles its first requests. Problems that hide in test environments often reveal themselves here.
For applications with multiple log files:
Watch the conversation between requests, logic, and errors.
Systemd Services
For systemd-managed services, journalctl provides similar functionality:
This follows journal entries for nginx. Some applications log to both the journal and traditional files—watch both if you need the complete picture.
Processing the Stream
Extract specific fields with awk:
This shows only IP addresses and URLs—a real-time feed of who's requesting what.
Process each line as it arrives:
Remote Following
Watch logs on remote systems:
The quotes ensure tail runs on the remote machine, streaming output back to your terminal. Monitor distributed systems without opening multiple SSH sessions.
Saving While Watching
Watch and record simultaneously:
You see everything in the terminal while tee writes a copy to the file. Perfect for documenting a troubleshooting session.
Alternative: less +F
The less pager can follow files too:
Press Ctrl+C to stop following and navigate the file normally—search backward, scroll up, examine context. Press F to resume following. This pause-and-explore capability makes less +F powerful for investigation.
Common Patterns
SSH login attempts:
Database queries:
Mail delivery:
Kernel messages:
When Not to Use tail -f
For analyzing past events, use tail, grep, or awk on the static file. Following only makes sense when you need to see what's happening now.
For high-volume logs scrolling faster than you can read, add filters. A firehose of unfiltered output helps no one.
For structured analysis of systemd services, journalctl offers better filtering than tail -f on raw files.
Key Takeaways
tail -f turns log files into live streams, showing new lines the instant they're written. Use -F for production monitoring—it handles log rotation automatically by following the filename rather than the file descriptor.
Combine with grep for filtered views, awk for field extraction, tee for recording. Follow multiple files to see how events correlate across logs.
For systemd services, journalctl -f provides similar capabilities with richer filtering. For the flexibility to pause, explore, and resume, use less +F.
The command is simple. The visibility it provides is not. Real-time log following transforms debugging from archaeology into observation—you're no longer reconstructing what happened, you're watching it happen.
Frequently Asked Questions About tail -f
Was this page helpful?