Linux last Command


On Linux, the "last" command is used to display a list of users who have previously logged in to the system. This command is especially useful for system administrators who need to track user activity on a server. The last command can display a variety of information, including the date and time of access, the duration of the session and the terminal or device used to access the system.

Options and Syntax

The basic syntax of the last command is as follows −

$ last [options] [username]

Options available with the last command include −

-a − Display the hostname of the system in the output.

-d − Display the DNS name of the host instead of the IP address.

-f − Use the specified file as the data source instead of the default file.

-i − Display the IP address of the host instead of the hostname.

-n − Limit the number of lines of output.

-R − Print the system's hostname and IP address in reverse DNS format.

-x − Show system reboot messages in the output.


When managing a multi-user system, you often want detailed information about login activity. In this tutorial, we will learn through an example how to get login information using the “last” and “lastb” commands.

Introduction to last and lastb

The last command displays information about the most recently logged in users. It is quite convenient and useful when we need to track login activities or investigate a potential security breach.The last command will, by default, take the system log file “/var/log/wtmp” as the data source for generating reports. wtmp is a binary file on *nix operating systems that keeps a history of all login and logout activity.

The “lastb” command is the same as the last command, except that, by default, it looks in the “/var/log/btmp” file, which contains all failed login attempts. Regular users do not have read permission on the “/var/log/btmp” file −

$ ls -l /var/log/btmp
-rw-rw---- 1 root utmp 1152 Apr  5 00:04 /var/log/btmp

Therefore, only the root user can get the failed login attempt report using the “lastb” command.

Understand the Output

If we run the last command without any options, it will generate a history report of all accesses −

$ last
reboot   system boot  5.5.13-arch2-1   Fri Apr 10 08:02   still running
kent     pts/0     Tue Apr  7 22:01 - 23:03  (01:02)
reboot   system boot  5.5.8-arch1-1    Tue Mar 10 20:49 - 20:49  (00:00)
kent     pts/5        tmux(6716).%6    Thu Mar 26 18:58 - 19:01 (7+23:02)
root     tty1 slash Fri Feb 21 18:45 - down   (00:01)
kent     pts/0    Thu Feb 20 11:39 - 11:43  (00:04)
guest    pts/0     Sun Jan 26 19:15 - 21:32 (02:17)
kent pts/2 tmux(2044).%1 Wed Jan 8 22:39 - 01:09 (02:29)

Now, let's look at the access report generated above and understand the meaning of each column −

  • The first column shows the name of the logged in user.

  • The second column indicates how the user is connected to the system, for example via pts (pseudo-terminal) or tty (teletype). But if it was a restart task, it will show system boot.

  • The third column indicates where the user logged in from. The value could be −

    • a hostname or an IP address - if the user connected from a remote computer

    • empty value - if the user connected via a tty

    • a kernel version - if it is a reboot task

    • some application specific values, for example, tmux(6716).%6 means ProcessName(PID).WindowID

  • The fourth column indicates when the login activity occurred.

  • The fifth column shows the logout time. They can be the following values −

      • a timestamp − if the user logged out

      • still running − if the system startup is still running

      • still logged in − if the user is still logged in

      • down − the system shuts down normally

      • crash − if there is no logout entry in the “/var/log/wtmp” file; this usually means that the system has crashed

The last column indicates how long the user has been connected in the format (Hours: Minutes).

Limit the number of lines in the output

A multi-user system is very likely to have many login entries recorded in the wtmp file. If we just want to look at some of the most recent login activity, we can use the “-n” option to limit the lines in the output of the last command −

$ last -n 5
kent pts/0 Sat Apr 11 14:58 still logged in
kent pts/


In this article, we learned about the last and lastb commands in Linux, which are used to display information about the most recently logged in users. The last command is especially useful for system administrators to track user activity on a server. The article also covered the different switches and syntax available with the command, as well as examples of how to use them. Furthermore, we also understood the output generated by the last command and how we can limit the number of lines in the output. The options explained above, examples and understanding the output will help you use this last command more efficiently.