Article Categories
- All Categories
-
Data Structure
-
Networking
-
RDBMS
-
Operating System
-
Java
-
MS Excel
-
iOS
-
HTML
-
CSS
-
Android
-
Python
-
C Programming
-
C++
-
C#
-
MongoDB
-
MySQL
-
Javascript
-
PHP
-
Economics & Finance
Linux last Command
The last command is a powerful Linux utility used to display a list of users who have previously logged in to the system. This command is especially useful for system administrators who need to track user activity and monitor login sessions on servers. The last command can display various information including login dates, session duration, and the terminal or device used to access the system.
Syntax and Options
The basic syntax of the last command is as follows
last [options] [username]
Common options available with the last command include
| Option | Description |
|---|---|
-a |
Display the hostname of the system in the output |
-d |
Display the DNS name of the host instead of IP address |
-f file |
Use the specified file as the data source instead of default |
-i |
Display the IP address of the host instead of hostname |
-n number |
Limit the number of lines of output |
-R |
Print hostname and IP address in reverse DNS format |
-x |
Show system reboot messages in the output |
How It Works
The last command displays information about the most recently logged in users by reading the system log file /var/log/wtmp as the default data source. The wtmp file is a binary file on Unix-like operating systems that keeps a history of all login and logout activity.
The related lastb command works similarly but reads from /var/log/btmp which contains all failed login attempts. Regular users do not have read permission on the btmp file
$ ls -l /var/log/btmp -rw-rw---- 1 root utmp 1152 Apr 5 00:04 /var/log/btmp
Therefore, only the root user can access failed login attempt reports using the lastb command.
Understanding the Output
Running the last command without options generates a complete history report
$ last reboot system boot 5.5.13-arch2-1 Fri Apr 10 08:02 still running kent pts/0 192.168.0.63 Tue Apr 7 22:01 - 23:03 (01:02) reboot system boot 5.5.8-arch1-1 Tue Mar 10 20:49 - 20:49 (00:00) kent pts/5 tmux(6716).%6 Thu Mar 26 18:58 - 19:01 (7+23:02) root tty1 Fri Feb 21 18:45 - down (00:01) kent pts/0 80.242.164.60 Thu Feb 20 11:39 - 11:43 (00:04) guest pts/0 192.168.0.63 Sun Jan 26 19:15 - 21:32 (02:17) kent pts/2 tmux(2044).%1 Wed Jan 8 22:39 - 01:09 (02:29)
Each column in the output represents specific information
Column 1 (Username) Name of the logged in user or system event
Column 2 (Terminal) Connection type such as
pts(pseudo-terminal),tty(teletype), or "system boot" for reboot eventsColumn 3 (Source) Login origin which can be hostname, IP address, kernel version (for reboots), or application-specific values like
tmux(6716).%6Column 4 (Login Time) When the login activity occurred
Column 5 (Logout Status) Shows logout time, "still running", "still logged in", "down" (normal shutdown), or "crash" (system failure)
Column 6 (Duration) Session length in (Hours:Minutes) format
Examples
Limiting Output Lines
To view only the most recent login entries, use the -n option
$ last -n 5
kent pts/0 192.168.0.63 Sat Apr 11 14:58 still logged in kent pts/1 192.168.0.63 Sat Apr 11 12:30 - 14:45 (02:15) reboot system boot 5.5.13-arch2-1 Fri Apr 10 08:02 still running john pts/0 10.0.0.100 Thu Apr 9 16:22 - 18:30 (02:08) mary tty2 Thu Apr 9 09:15 - 17:00 (07:45)
Viewing Specific User Activity
$ last kent
Showing Failed Login Attempts
$ sudo lastb
Conclusion
The last command is an essential tool for system administrators to monitor user login activity and maintain system security. By understanding its output format and various options, administrators can effectively track user sessions, investigate security incidents, and maintain comprehensive audit trails of system access.
7K+ Views
