Watching logs in real time makes troubleshooting feel less like guesswork and more like reading a live transcript of what the system is doing. Following log files shows new events as they happen, which is essential when diagnosing crashes, slowdowns, authentication problems, or misbehaving applications.
On Linux, most services write plain-text logs under /var/log or into the systemd journal. Tools such as tail and journalctl focus on the newest entries, printing only the trailing lines and optionally following new ones as they are appended, which keeps the output manageable even for very busy logs.
Log access often requires elevated permissions and a bit of awareness about log rotation, binary formats, and retention policies. On common Ubuntu or Debian systems, general messages appear in /var/log/syslog, authentication events in /var/log/auth.log, and many system services log into the journal read via journalctl. The examples below assume a standard shell and the ability to use sudo for protected files.
Steps to tail and follow logs in Linux:
- Open a terminal with a user account that has sudo privileges.
$ whoami user
- List available log files under /var/log to choose a file to inspect.
$ ls /var/log README alternatives.log apt auth.log bootstrap.log btmp dpkg.log faillog journal kern.log
Most system-wide text logs live in /var/log, while some applications may use custom directories under /var/log or /opt.
- Show the last lines of a specific log file using tail.
$ sudo tail -n 10 /var/log/syslog 2026-01-11T21:19:58.917507+00:00 host systemd[1]: Stopped rsyslog.service - System Logging Service. 2026-01-11T21:19:58.918838+00:00 host systemd[1]: Starting rsyslog.service - System Logging Service... 2026-01-11T21:19:58.949452+00:00 host rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2312.0] 2026-01-11T21:19:58.949526+00:00 host rsyslogd: rsyslogd's groupid changed to 102 2026-01-11T21:19:58.949558+00:00 host systemd[1]: Started rsyslog.service - System Logging Service. 2026-01-11T21:19:58.949588+00:00 host rsyslogd: rsyslogd's userid changed to 101 2026-01-11T21:19:58.949607+00:00 host rsyslogd: [origin software=\"rsyslogd\" swVersion=\"8.2312.0\" x-pid=\"1458\" x-info=\"https://www.rsyslog.com\"] start 2026-01-11T21:20:11.137059+00:00 host root: tail-follow demo after restart 2026-01-11T21:20:17.576093+00:00 host systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Increase or decrease the value passed to -n to control how many lines are shown initially.
- Follow new entries in the log file continuously with tail -f.
$ sudo tail -f /var/log/syslog | head -n 5 2026-01-11T21:19:58.918838+00:00 host systemd[1]: Starting rsyslog.service - System Logging Service... 2026-01-11T21:19:58.949452+00:00 host rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2312.0] 2026-01-11T21:19:58.949526+00:00 host rsyslogd: rsyslogd's groupid changed to 102 2026-01-11T21:19:58.949558+00:00 host systemd[1]: Started rsyslog.service - System Logging Service. 2026-01-11T21:19:58.949588+00:00 host rsyslogd: rsyslogd's userid changed to 101
Press Ctrl+C to stop following; tail exits cleanly and returns to the shell prompt.
- Follow a log safely across rotations using tail -F.
$ sudo tail -F /var/log/syslog 2026-01-11T21:19:58.918838+00:00 host systemd[1]: Starting rsyslog.service - System Logging Service... ##### snipped #####
Option -F behaves like --follow=name --retry so the command keeps tracking the file name even if the underlying file is rotated or temporarily missing.
- Follow multiple log files at once to correlate related events.
$ sudo tail -F /var/log/syslog /var/log/auth.log | head -n 8 ==> /var/log/syslog <== 2026-01-11T21:19:58.918838+00:00 host systemd[1]: Starting rsyslog.service - System Logging Service... 2026-01-11T21:19:58.949452+00:00 host rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2312.0] 2026-01-11T21:19:58.949526+00:00 host rsyslogd: rsyslogd's groupid changed to 102 2026-01-11T21:19:58.949558+00:00 host systemd[1]: Started rsyslog.service - System Logging Service. 2026-01-11T21:19:58.949588+00:00 host rsyslogd: rsyslogd's userid changed to 101 2026-01-11T21:19:58.949607+00:00 host rsyslogd: [origin software=\"rsyslogd\" swVersion=\"8.2312.0\" x-pid=\"1458\" x-info=\"https://www.rsyslog.com\"] start
Each block of output is prefixed with the file name between ==> markers, which helps distinguish messages from different logs.
- Filter followed output by keyword using grep when only specific messages matter.
$ sudo tail -F /var/log/syslog | grep --line-buffered sshd 2026-01-11T21:19:58.918838+00:00 host systemd[1]: Starting rsyslog.service - System Logging Service...
Filtering with grep hides lines that do not match the pattern, which is convenient but can obscure important context if the filter is too narrow.
- Follow the systemd journal in real time with journalctl -f instead of flat files.
$ sudo journalctl -f Jan 11 21:22:09 host.example.net root[1560]: journalctl follow demo: ssh start
Use journalctl -u <unit> -f (for example journalctl -u ssh -f) to follow only one service’s logs.
- Generate a test log entry and verify that it appears in the followed output.
$ logger "tail-follow demo: hello from $(hostname)" $ sudo journalctl -f Jan 11 21:22:09 host.example.net root[1560]: journalctl follow demo: ssh start
The logger command writes to the system log using syslog, which is a convenient way to confirm that tailing or following is working as expected.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
