How to Monitor File Changes in Real-Time Using Unix/Linux tail -f Command


4 views

When debugging applications or monitoring system behavior, watching log files in real-time is one of the most common tasks for Unix/Linux administrators and developers. The tail -f command is your best friend for this purpose.

# Basic usage:
tail -f /var/log/syslog

# Watching multiple files:
tail -f /var/log/nginx/access.log /var/log/nginx/error.log

# Combining with grep for filtering:
tail -f /var/log/apache2/access.log | grep "404"

While the basic tail -f is useful, there are more powerful ways to leverage this command:

# Show the last 100 lines and then follow:
tail -n 100 -f application.log

# Colorize output for better visibility:
tail -f /var/log/kern.log | ccze -A

# Monitor rotated logs (requires GNU tail):
tail -F /var/log/messages

While tail -f is the most common solution, other tools offer additional features:

# Using less with follow mode (shift+F):
less +F /var/log/auth.log

# Using watch with diff:
watch -d 'tail -n 20 application.log'

# Using inotifywait for event-based monitoring:
inotifywait -m -e modify /path/to/file

Here's how I typically use these commands in my development workflow:

# Watching a Node.js application log:
tail -f /var/log/nodeapp.log | grep -v "DEBUG"

# Monitoring a Python script's output:
python3 script.py | tee output.log & tail -f output.log

# Tracking database query logs:
tail -f /var/log/mysql/query.log | grep "slow query"

When debugging applications or monitoring system behavior, developers often need to watch log files in real-time as new entries are written. The Unix/Linux tail command with the -f (follow) option is the perfect tool for this job.

The simplest way to monitor a growing file:

tail -f /var/log/syslog

This will display the last 10 lines of the file and continue showing new lines as they're appended.

For more control over the monitoring process:

# Show last 50 lines initially
tail -n 50 -f application.log

# Monitor multiple files simultaneously
tail -f /var/log/nginx/access.log /var/log/nginx/error.log

# Use with grep to filter specific patterns
tail -f debug.log | grep "ERROR"

# Combine with awk for formatted output
tail -f data.csv | awk -F, '{print $1, $3}'

While tail -f is most common, other options exist:

# less with follow mode (press F after opening)
less +F development.log

# watch command for periodic checks
watch -n 5 'tail -n 20 production.log'

# inotifywait for event-based monitoring
inotifywait -m -e modify /path/to/file

Here's how I use these commands in my daily work:

# Monitor web server traffic while testing
tail -f /var/log/apache2/access.log | grep "POST /api"

# Watch debug output during development
tail -f ./debug.out | tee debug_copy.txt

# Track memory usage patterns
watch -n 1 'grep "MemFree" /proc/meminfo'
  • Use Ctrl+C to stop monitoring
  • Combine with grep -v to exclude patterns
  • Add --retry if the file might temporarily disappear
  • Consider multitail for advanced multi-file monitoring