head and tail: The First and Last Things You Need to Know About Your Data

\ Learn how to preview files, slice ranges, and monitor logs in real time without drowning in output. Most tools dump everything. head and tail let you choose how much you see. head shows you the beginning of a file or stream. tail shows you the end. Between them they cover the two most common situations in terminal work: getting a quick look at what something contains, and watching it change in real time. This article covers both tools completely — every flag, the live monitoring behavior that makes tail indispensable, and how they fit into security pipelines. The Baseline head reads input and prints the first N lines. tail reads input and prints the last N lines. Both default to 10. bash head filename # first 10 lines tail filename # last 10 lines some_command | head # first 10 lines of any output some_command | tail # last 10 lines of any output The rest of the file beyond what you asked for is never processed. That matters for performance on large files — head stops reading immediately after reaching its limit. Part One — head -n — Control How Many Lines bash head -n 20 file.txt # first 20 lines head -n 1 file.txt # first line only head -5 file.txt # shorthand for head -n 5 The shorthand form — number directly after - — is widely supported and saves a few characters in pipelines. -n with a Negative Number — All But the Last N Lines This is the less obvious behavior and one of the most useful. bash head -n -5 file.txt Prints everything except the last 5 lines. If the file has 100 lines, you get lines 1 through 95. When to use it: Stripping trailing footers, summary lines, or totals that tools append to the end of their output before passing the data to the next stage. -c — Print by Bytes Instead of Lines bash head -c 100 file.txt Prints the first 100 bytes instead of lines. Most useful for reading the magic bytes at the start of a file — the hidden signature that identifies its type. bash head -c 8 unknown_file | xxd xxd converts the bytes to hex. ELF binaries start with 7f 45 4c 46 . ZIP files start with 50 4b 03 04 . PDFs start with 25 50 44 46 . A quick read tells you what a file actually is before you touch it. head in Security Workflows Check the Field Order Before Writing a Pipeline bash head -n 1 results.csv Shows only the column header row. When tool output is CSV, check this first to know which field number maps to which column before writing a cut command against it. Limit Ranked Output to the Top N Results After a frequency analysis pipeline: bash grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" access.log | sort | uniq -c | sort -rn | head -n 10 The full pipeline produces a ranked list of every IP. head -n 10 limits the output to the top 10. Without it, a busy log file returns thousands of lines. Check Magic Bytes to Identify a File Type bash head -c 8 unknown_file | xxd head -c 8 extracts the first 8 bytes. xxd renders them in hex. Common signatures: | Magic Bytes | File Type | |----|----| | 7f 45 4c 46 | ELF binary (Linux executable) | | 4d 5a | PE binary (Windows executable) | | 50 4b 03 04 | ZIP / DOCX / JAR | | 25 50 44 46 | PDF | | ff d8 ff | JPEG | Strip a Header Before Passing to Another Tool bash tail -n +2 results.csv | cut -d',' -f3 tail -n +2 skips line 1 and outputs everything from line 2 onward. cut then extracts the third column. This pattern comes up constantly when tool output has a header row you do not want processed as data — covered in more detail in the tail section below. Part Two — tail -n — Control How Many Lines From the End bash tail -n 20 file.txt # last 20 lines tail -n 1 file.txt # last line only — most recent log entry, final result -n +N — Start From Line N This is the most useful and least understood tail behavior. bash tail -n +2 file.txt The + changes the meaning entirely. Instead of "print the last N lines," it means "start printing from line N." tail -n +2 skips line 1 and outputs everything from line 2 to the end — the standard way to strip a header row before passing data forward. This also pairs with head to extract a specific range. To get lines 11 through 20: bash head -n 20 file.txt | tail -n 10 head -n 20 keeps the first 20 lines. tail -n 10 keeps the last 10 of those — which are lines 11 through 20 of the original file. The pattern: to extract lines M through N, keep the first N lines with head, then take the last (N - M + 1) with tail. -c — Print by Bytes From the End bash tail -c 100 file.txt Prints the last 100 bytes. Less commonly used than -n , but useful when working with binary data or checking the end of a file at the byte level. -f — Follow a File in Real Time This is the flag that makes tail genuinely different from everything else in this series. bash tail -f /var/log/auth.log tail opens the file, prints the last 10 lines, and then keeps watching. Every time a new line is appended to the file, tail prints it immediately. The command runs until you press Ctrl+C . This is live log monitoring from the terminal. No GUI, no external tool — tail watches the file and shows you what is happening as it happens. When to use it: Any time you want to see events as they occur — watching auth logs during a test, monitoring an application log while sending requests, following a scan in progress. -f with Multiple Files bash tail -f /var/log/auth.log /var/log/syslog Follows both files simultaneously. Each new line is prefixed with the filename so you know which file it came from: ==> /var/log/auth.log <== Jun 01 10:23:11 sshd[1263]: Accepted password for admin ==> /var/log/syslog <== Jun 01 10:23:12 systemd[1]: Started Session 4 of user admin. -F — Follow by Name, Not File Descriptor bash tail -F /var/log/apache2/access.log -F is -f with one important difference: if the file is rotated (deleted and recreated with the same name, which log rotation does), -F detects the new file and continues following it. -f follows the original file descriptor and loses track after rotation. For production log files that rotate, always use -F instead of -f . --pid — Stop Following When a Process Ends bash tail -f logfile.txt --pid=1234 Follows the log file but automatically exits when the process with PID 1234 terminates. Useful when you are monitoring a specific process and want tail to clean itself up when the process is done. Part Three — head and tail in Security Workflows Monitor Authentication Logs in Real Time bash tail -F /var/log/auth.log Every authentication event printed as it happens. During an active test or investigation, a live feed without polling. Watch for Failed Login Attempts Live bash tail -F /var/log/auth.log | grep --line-buffered "Failed password" tail follows the log. grep filters to only failed password lines. --line-buffered tells grep to flush output immediately after each match rather than buffering — without it, grep can hold matches back and the live feed feels delayed. A real-time stream of failed login attempts only, with all other log noise removed. Monitor a Web Server During Active Testing bash tail -F /var/log/apache2/access.log | grep --line-buffered -v "200" Follow the access log. Filter out 200 OK responses. What remains is every non-success response — 403s, 404s, 500s — in real time as your requests hit the server. Skip Headers and Pass Clean Data to a Tool bash tail -n +2 scan_results.csv | cut -d',' -f1,3 | sort | uniq tail -n +2 skips the header row. cut extracts columns 1 and 3. sort + uniq deduplicates. The result is clean, deduplicated data from the fields you care about. Check the Last Result From a Ranked Pipeline bash sort passwords.txt | uniq -c | sort -n | tail -n 1 After sorting by frequency ascending, tail -n 1 shows the single most frequent password. ( sort -rn | head -n 1 does the same thing from the other direction.) Inspect the Beginning of a Potentially Malicious File bash head -n 20 suspicious.sh Read the first 20 lines of an unknown script before executing anything. It costs nothing and carries no risk. Follow Multiple Logs During Incident Response bash tail -F /var/log/auth.log /var/log/syslog /var/log/apache2/error.log Three logs, one terminal. Each new line tagged with the source file. During an active incident, this gives you a correlated view across system, auth, and application events without opening separate windows. Quick Reference head | Flag | What It Does | |----|----| | -n N | Print first N lines (default: 10) | | -n -N | Print all except the last N lines | | -c N | Print first N bytes | tail | Flag | What It Does | |----|----| | -n N | Print last N lines (default: 10) | | -n +N | Print from line N to end of file | | -c N | Print last N bytes | | -f | Follow file, print new lines as they appear | | -F | Follow by name — survives log rotation | | --pid=N | Stop following when process N exits | Common Combinations | Pattern | What It Does | |----|----| | head -n 1 | First line only — extract headers | | tail -n 1 | Last line only — most recent entry | | tail -n +2 | Skip the first line — strip headers | | head -n N then tail -n M | Extract a line range | | tail -f then grep --line-buffered | Live filtered log monitoring | | ... then head -n N | Limit any pipeline output to N lines | Closing head and tail do not find things, transform things, or count anything. What they do is control how much of the data you see and when you see it. That matters more than it sounds. A pipeline that returns 50,000 lines is not useful. A log feed that shows everything is noise. head puts a ceiling on output. tail -f turns a static file into a real-time feed. tail -n +2 silently strips headers so every tool downstream gets clean data. They are small. They are always there. Learn them once and they show up everywhere.