Reading Logs with less, more, and tail - Mastering Pager Commands

Reading Logs with less, more, and tail - Mastering Pager Commands
Reading time: About 15 min Difficulty: Beginner

Don't Fear Logs - Just Start Reading Them

Lina: Linny-senpai, someone told me to "check the logs," but log files have thousands of lines! How am I supposed to read them?
Linny-senpai: That's exactly what the less command is for! Instead of dumping everything with cat, you can scroll through the file page by page.

Log files are long. Opening them with cat floods your screen and scrolls past in seconds.

That's where pager commands come in. Learn less, more, and tail, and no log file will intimidate you again.

less Basics - The King of Pagers

Lina: "less"? That's a funny name.
Linny-senpai: It comes from the phrase "less is more." A command called more already existed, so they named this more powerful one less as a joke.
Lina: That's backwards!
Linny-senpai: Classic Linux humor.

Opening a file with less

less /var/log/syslog
Nov 1 10:00:01 myserver systemd[1]: Started Daily apt download activities.
Nov 1 10:00:23 myserver kernel: [12345.678] eth0: renamed from veth1234
Nov 1 10:00:30 myserver sshd[1234]: Accepted publickey for user from 192.168.1.1
...

Once the file is open, use keyboard shortcuts to navigate.

less Navigation Keys

Key Action
Space / f Next page
b Previous page
/ j One line down
/ k One line up
G Jump to last line
g Jump to first line
q Quit
/keyword Search forward
?keyword Search backward
n Next search result
N Previous search result

The 3 keys to memorize first

  • Space: next page
  • q: quit
  • /error: search for the word "error"

Searching Inside less

Lina: Log files are so long — I can't find where the errors are.
Linny-senpai: Press / and type a keyword to search! Hit Enter to jump to the first match.

Open a file with less, then type /error and press Enter.

It jumps to the first line containing "error". Press n for the next match, N for the previous one.

less highlights all search matches, making it easy to spot errors in a long log file.

more Basics - The Simple Pager

Lina: Is more similar to less?
Linny-senpai: It's simpler. You just press Space to see "more." The catch is you can't scroll back to previous pages.
more /var/log/syslog
Key Action
Space Next page
Enter One line forward
q Quit

more cannot scroll backward. If you need to re-read earlier content, use less instead.

less vs. more - When to Use Which

Lina: So should I just always use less and forget about more?
Linny-senpai: Mostly yes! But more is useful when less isn't installed on a minimal system. When in doubt, less is the right choice.
Feature less more
Scroll backward Yes No
Search Yes (with highlighting) Basic or none
Pipe support Yes Yes
Default availability Most systems Nearly all systems

Bottom line: When in doubt, use less.

tail Basics - Viewing the End of a File

Lina: New log entries get added to the bottom of the file, right?
Linny-senpai: Exactly! So the tail command shows just the tail end of the file — the newest entries. By default, it shows the last 10 lines.
tail /var/log/syslog
Nov 1 11:59:43 myserver systemd[1]: Starting Session 42 of User user.
Nov 1 11:59:43 myserver systemd-logind[456]: New session 42 of user user.
Nov 1 11:59:44 myserver sshd[5678]: session opened for user user by (uid=0)
Nov 1 11:59:58 myserver systemd[1]: session-42.scope: Deactivated successfully.

Specifying the number of lines

tail -n 50 /var/log/syslog

The -n 50 flag shows the last 50 lines. You can also write it as -50:

tail -50 /var/log/syslog

The head command shows the beginning of a file. Learn tail and head together as a pair.

tail -f for Real-Time Monitoring

Lina: Log files keep growing in real time. How do I follow along as new entries are added?
Linny-senpai: That's tail -f! The -f stands for "follow" — it watches the file and prints each new line as it's appended.
Lina: That sounds really useful!
Linny-senpai: It's great for watching web server access logs or tracking what an app is doing during a deployment.
tail -f /var/log/nginx/access.log
192.168.1.1 - - [01/Jun/2026:12:00:01 +0900] "GET / HTTP/1.1" 200 1234
192.168.1.2 - - [01/Jun/2026:12:00:05 +0900] "GET /api/users HTTP/1.1" 200 5678
192.168.1.1 - - [01/Jun/2026:12:00:07 +0900] "POST /api/login HTTP/1.1" 200 89

Press Ctrl+C to stop.

tail -f keeps running until you stop it. Always press Ctrl+C when you're done monitoring.

Monitoring Multiple Files Simultaneously

tail -f /var/log/nginx/access.log /var/log/nginx/error.log

When watching multiple files, tail -f labels each new line with the filename it came from:

==> /var/log/nginx/access.log <==
192.168.1.3 - - [01/Jun/2026:12:01:00 +0900] "GET /image.png HTTP/1.1" 200 9876

==> /var/log/nginx/error.log <==
2026/06/01 12:01:01 [error] 1234#0: *5 No such file or directory

Practical Log Investigation Workflow

Lina: So when a server problem happens, what's the best order to check the logs?
Linny-senpai: Here's the workflow I use. Start with tail -n 100 to see recent activity, then switch to less to investigate more closely.

Step 1 - Check the most recent logs

tail -n 100 /var/log/syslog

Step 2 - Use less to search for errors

less /var/log/syslog

Inside less, type /error or /failed to search.

Step 3 - Watch logs in real time while reproducing the problem

tail -f /var/log/syslog

Combine with grep to filter noise

tail -f /var/log/syslog | grep -i error

This shows only lines containing "error" (case-insensitive) as they appear in real time.

Next Reading