Data Structure
Networking
RDBMS
Operating System
Java
MS Excel
iOS
HTML
CSS
Android
Python
C Programming
C++
C#
MongoDB
MySQL
Javascript
PHP
Physics
Chemistry
Biology
Mathematics
English
Economics
Psychology
Social Studies
Fashion Studies
Legal Studies
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
Linux last Command
Introduction
On Linux, the "last" command is used to display a list of users who have previously logged in to the system. This command is especially useful for system administrators who need to track user activity on a server. The last command can display a variety of information, including the date and time of access, the duration of the session and the terminal or device used to access the system.
Options and Syntax
The basic syntax of the last command is as follows −
$ last [options] [username]
Options available with the last command include −
-a − Display the hostname of the system in the output.
-d − Display the DNS name of the host instead of the IP address.
-f − Use the specified file as the data source instead of the default file.
-i − Display the IP address of the host instead of the hostname.
-n − Limit the number of lines of output.
-R − Print the system's hostname and IP address in reverse DNS format.
-x − Show system reboot messages in the output.
Overview
When managing a multi-user system, you often want detailed information about login activity. In this tutorial, we will learn through an example how to get login information using the “last” and “lastb” commands.
Introduction to last and lastb
The last command displays information about the most recently logged in users. It is quite convenient and useful when we need to track login activities or investigate a potential security breach.The last command will, by default, take the system log file “/var/log/wtmp” as the data source for generating reports. wtmp is a binary file on *nix operating systems that keeps a history of all login and logout activity.
The “lastb” command is the same as the last command, except that, by default, it looks in the “/var/log/btmp” file, which contains all failed login attempts. Regular users do not have read permission on the “/var/log/btmp” file −
$ ls -l /var/log/btmp -rw-rw---- 1 root utmp 1152 Apr 5 00:04 /var/log/btmp
Therefore, only the root user can get the failed login attempt report using the “lastb” command.
Understand the Output
If we run the last command without any options, it will generate a history report of all accesses −
$ last reboot system boot 5.5.13-arch2-1 Fri Apr 10 08:02 still running kent pts/0 192.168.0.63 Tue Apr 7 22:01 - 23:03 (01:02) reboot system boot 5.5.8-arch1-1 Tue Mar 10 20:49 - 20:49 (00:00) kent pts/5 tmux(6716).%6 Thu Mar 26 18:58 - 19:01 (7+23:02) root tty1 slash Fri Feb 21 18:45 - down (00:01) kent pts/0 80.242.164.60 Thu Feb 20 11:39 - 11:43 (00:04) guest pts/0 192.168.0.63 Sun Jan 26 19:15 - 21:32 (02:17) kent pts/2 tmux(2044).%1 Wed Jan 8 22:39 - 01:09 (02:29)
Now, let's look at the access report generated above and understand the meaning of each column −
The first column shows the name of the logged in user.
The second column indicates how the user is connected to the system, for example via pts (pseudo-terminal) or tty (teletype). But if it was a restart task, it will show system boot.
The third column indicates where the user logged in from. The value could be −
a hostname or an IP address - if the user connected from a remote computer
empty value - if the user connected via a tty
a kernel version - if it is a reboot task
some application specific values, for example, tmux(6716).%6 means ProcessName(PID).WindowID
The fourth column indicates when the login activity occurred.
The fifth column shows the logout time. They can be the following values −
a timestamp − if the user logged out
still running − if the system startup is still running
still logged in − if the user is still logged in
down − the system shuts down normally
crash − if there is no logout entry in the “/var/log/wtmp” file; this usually means that the system has crashed
The last column indicates how long the user has been connected in the format (Hours: Minutes).
Limit the number of lines in the output
A multi-user system is very likely to have many login entries recorded in the wtmp file. If we just want to look at some of the most recent login activity, we can use the “-n” option to limit the lines in the output of the last command −
$ last -n 5 kent pts/0 192.168.0.63 Sat Apr 11 14:58 still logged in kent pts/
Conclusion
In this article, we learned about the last and lastb commands in Linux, which are used to display information about the most recently logged in users. The last command is especially useful for system administrators to track user activity on a server. The article also covered the different switches and syntax available with the command, as well as examples of how to use them. Furthermore, we also understood the output generated by the last command and how we can limit the number of lines in the output. The options explained above, examples and understanding the output will help you use this last command more efficiently.
5K+ Views
