- Kali Linux Tutorial
- Kali Linux - Home
- Installation & Configuration
- Information Gathering Tools
- Vulnerability Analyses Tools
- Kali Linux - Wireless Attacks
- Website Penetration Testing
- Kali Linux - Exploitation Tools
- Kali Linux - Forensics Tools
- Kali Linux - Social Engineering
- Kali Linux - Stressing Tools
- Kali Linux - Sniffing & Spoofing
- Kali Linux - Password Cracking Tools
- Kali Linux - Maintaining Access
- Kali Linux - Reverse Engineering
- Kali Linux - Reporting Tools
- Kali Linux Useful Resources
- Kali Linux - Quick Guide
- Kali Linux - Useful Resources
- Kali Linux - Discussion
Linux last Command
Introduction
On Linux, the "last" command is used to display a list of users who have previously logged in to the system. This command is especially useful for system administrators who need to track user activity on a server. The last command can display a variety of information, including the date and time of access, the duration of the session and the terminal or device used to access the system.
Options and Syntax
The basic syntax of the last command is as follows −
$ last [options] [username]
Options available with the last command include −
-a − Display the hostname of the system in the output.
-d − Display the DNS name of the host instead of the IP address.
-f − Use the specified file as the data source instead of the default file.
-i − Display the IP address of the host instead of the hostname.
-n − Limit the number of lines of output.
-R − Print the system's hostname and IP address in reverse DNS format.
-x − Show system reboot messages in the output.
Overview
When managing a multi-user system, you often want detailed information about login activity. In this tutorial, we will learn through an example how to get login information using the “last” and “lastb” commands.
Introduction to last and lastb
The last command displays information about the most recently logged in users. It is quite convenient and useful when we need to track login activities or investigate a potential security breach.The last command will, by default, take the system log file “/var/log/wtmp” as the data source for generating reports. wtmp is a binary file on *nix operating systems that keeps a history of all login and logout activity.
The “lastb” command is the same as the last command, except that, by default, it looks in the “/var/log/btmp” file, which contains all failed login attempts. Regular users do not have read permission on the “/var/log/btmp” file −
$ ls -l /var/log/btmp -rw-rw---- 1 root utmp 1152 Apr 5 00:04 /var/log/btmp
Therefore, only the root user can get the failed login attempt report using the “lastb” command.
Understand the Output
If we run the last command without any options, it will generate a history report of all accesses −
$ last reboot system boot 5.5.13-arch2-1 Fri Apr 10 08:02 still running kent pts/0 192.168.0.63 Tue Apr 7 22:01 - 23:03 (01:02) reboot system boot 5.5.8-arch1-1 Tue Mar 10 20:49 - 20:49 (00:00) kent pts/5 tmux(6716).%6 Thu Mar 26 18:58 - 19:01 (7+23:02) root tty1 slash Fri Feb 21 18:45 - down (00:01) kent pts/0 80.242.164.60 Thu Feb 20 11:39 - 11:43 (00:04) guest pts/0 192.168.0.63 Sun Jan 26 19:15 - 21:32 (02:17) kent pts/2 tmux(2044).%1 Wed Jan 8 22:39 - 01:09 (02:29)
Now, let's look at the access report generated above and understand the meaning of each column −
The first column shows the name of the logged in user.
The second column indicates how the user is connected to the system, for example via pts (pseudo-terminal) or tty (teletype). But if it was a restart task, it will show system boot.
The third column indicates where the user logged in from. The value could be −
a hostname or an IP address - if the user connected from a remote computer
empty value - if the user connected via a tty
a kernel version - if it is a reboot task
some application specific values, for example, tmux(6716).%6 means ProcessName(PID).WindowID
The fourth column indicates when the login activity occurred.
The fifth column shows the logout time. They can be the following values −
a timestamp − if the user logged out
still running − if the system startup is still running
still logged in − if the user is still logged in
down − the system shuts down normally
crash − if there is no logout entry in the “/var/log/wtmp” file; this usually means that the system has crashed
The last column indicates how long the user has been connected in the format (Hours: Minutes).
Limit the number of lines in the output
A multi-user system is very likely to have many login entries recorded in the wtmp file. If we just want to look at some of the most recent login activity, we can use the “-n” option to limit the lines in the output of the last command −
$ last -n 5 kent pts/0 192.168.0.63 Sat Apr 11 14:58 still logged in kent pts/
Conclusion
In this article, we learned about the last and lastb commands in Linux, which are used to display information about the most recently logged in users. The last command is especially useful for system administrators to track user activity on a server. The article also covered the different switches and syntax available with the command, as well as examples of how to use them. Furthermore, we also understood the output generated by the last command and how we can limit the number of lines in the output. The options explained above, examples and understanding the output will help you use this last command more efficiently.
- Related Articles
- How to Repeat Your Last Command in Linux?
- Linux comm Command
- Linux tar Command
- Linux watch Command
- Linux sort Command
- Linux source Command
- Linux ping Command
- Linux man Command
- Linux ps Command
- Linux tr Command
- Sudo Command in Linux
- The Linux join Command
- Free Command in Linux
- “Cut” Command in Linux
- Date Command in Linux
