How to tail and follow logs in Linux

Watching logs in real time makes troubleshooting feel less like guesswork and more like reading a live transcript of what the system is doing. Following log files shows new events as they happen, which is essential when diagnosing crashes, slowdowns, authentication problems, or misbehaving applications.

On Linux, most services write plain-text logs under /var/log or into the systemd journal. Tools such as tail and journalctl focus on the newest entries, printing only the trailing lines and optionally following new ones as they are appended, which keeps the output manageable even for very busy logs.

Log access often requires elevated permissions and a bit of awareness about log rotation, binary formats, and retention policies. On common Ubuntu or Debian systems, general messages appear in /var/log/syslog, authentication events in /var/log/auth.log, and many system services log into the journal read via journalctl. The examples below assume a standard shell and the ability to use sudo for protected files.

1. Open a terminal with a user account that has sudo privileges.

   $ whoami
   user

2. List available log files under /var/log to choose a file to inspect.

   $ ls /var/log
   alternatives.log
   auth.log
   cloud-init.log
   dpkg.log
   kern.log
   syslog
   ##### snipped #####

   Most system-wide text logs live in /var/log, while some applications may use custom directories under /var/log or /opt.

3. Show the last 20 lines of a specific log file using tail.

   $ sudo tail -n 20 /var/log/syslog
   Jun 12 09:14:23 host NetworkManager[1023]: <info>  [1655021663.1234] device (eth0): state change: activated -> deactivated
   Jun 12 09:14:24 host systemd[1]: Stopping User Manager for UID 1000...
   ##### snipped #####

   Increase or decrease the value passed to -n to control how many lines are shown initially.

4. Follow new entries in the log file continuously with tail -f.

   $ sudo tail -f /var/log/syslog
   Jun 12 09:15:01 host CRON[24567]: (root) CMD (/usr/bin/cron-job)
   Jun 12 09:15:30 host sshd[24801]: Accepted publickey for admin from 192.0.2.10 port 51234 ssh2
   ##### snipped #####

   Press Ctrl+C to stop following; tail exits cleanly and returns to the shell prompt.

5. Follow a log safely across rotations using tail -F.

   $ sudo tail -F /var/log/syslog
   ==> /var/log/syslog <==
   Jun 12 09:16:01 host CRON[24901]: (root) CMD (/usr/bin/another-job)
   ##### snipped #####

   Option -F behaves like --follow=name --retry so the command keeps tracking the file name even if the underlying file is rotated or temporarily missing.

6. Follow multiple log files at once to correlate related events.

   $ sudo tail -F /var/log/syslog /var/log/auth.log
   ==> /var/log/syslog <==
   Jun 12 09:17:10 host systemd[1]: Started OpenSSH Daemon.
   
   ==> /var/log/auth.log <==
   Jun 12 09:17:12 host sshd[25234]: Accepted password for alice from 198.51.100.5 port 44922 ssh2
   ##### snipped #####

   Each block of output is prefixed with the file name between ==> markers, which helps distinguish messages from different logs.

7. Filter followed output by keyword using grep when only specific messages matter.

   $ sudo tail -F /var/log/syslog | grep --line-buffered sshd
   Jun 12 09:18:30 host sshd[25301]: Accepted publickey for admin from 192.0.2.10 port 51240 ssh2
   Jun 12 09:18:47 host sshd[25309]: Failed password for invalid user test from 203.0.113.23 port 60210 ssh2

   Filtering with grep hides lines that do not match the pattern, which is convenient but can obscure important context if the filter is too narrow.

8. Follow the systemd journal in real time with journalctl -f instead of flat files.

   $ sudo journalctl -f
   Jun 12 09:19:01 host systemd[1]: Starting Daily apt download activities...
   Jun 12 09:19:02 host systemd[1]: Started Daily apt download activities.
   ##### snipped #####

   Use journalctl -u <unit> -f (for example journalctl -u ssh -f) to follow only one service’s logs.

9. Generate a test log entry and verify that it appears in the followed output.

   $ logger "tail-follow demo: hello from $(hostname)"
   $ sudo journalctl -f
   Jun 12 09:20:15 host root[25501]: tail-follow demo: hello from host

   The logger command writes to the system log using syslog, which is a convenient way to confirm that tailing or following is working as expected.