last command in Linux with Examples
The last command in Linux is used to display the list of all the users logged in and out since the file /var/log/wtmp was created. One or more usernames can be given as an argument to display their login in (and out) time and their host-name.
Syntax:
Example:
Options:
Example:
Output:
-R: This option is used to hide the host-name field.
Example:
-F: This option is used to display the login and logout time including the dates.
Example:
-a: This option is used is to display the host-name in the last column.
Example:
-s, -t: This option is used to display within a specific time period.(-s) since and (-t) until, these commands are used to frame the time period.
Example:
The valid formats for the above commands are:
-d: This option is used to translate the IP address back into its host-name.
Example:
-x: This option is used to display information like system down entries and run level changes.
Example:
-w: This option is used to display full user and domain names.
Example:
–help: This option is used to display help regarding all options belonging to the last command.
Linux Last Command with Examples
Linux last command is used to check previously logged in user into your server. This command is very important in Linux as it helps for the audit trail. Assume that something is changed in the Linux system, in this situation you are not sure who has made the changes. Using the ‘last’ command you can identify who logged in at a particular time.
Last command displays a list of all user logged in and out from ‘/var/log/wtmp’ since the file was created. Wtmp is a log file that captures and records every login and logout event. This is a binary file that cannot view by any text editors. This trick is pretty smart because any user or root can not modify the file as they want.
Last command gives you information about the name of all users logged in, tty, IP Address (if the user doing a remote connection) date/time, and how long the user logged in.
How to run Last command
You just need to type ‘last’ on your console.
Here’s how to read last information:
The first column — name of the user who has logged in.
The second column — give us information about how the user is connected ( via pts or tty). Exception for reboot activity the status will be shown as ‘system boot’.
The third column — shows where the user connected from. If the user connect from remote computer, you will see a hostname or an IP Address. If you see :0.0 or nothing it means that the user is connect via local terminal. Exception for reboot activity, the kernel version will be shown as the status.
The remaining columns — displays login time and data stamp when the log activity has happened. Numbers in the bracket tell us how many hours and minutes the connection was happened.
pts (pseudo terminal) — means that the user connect via remote connections such as SSH or telnet.
tty (teletypewriter) — means that the user connect via direct connection to the computer or local terminal.
1) Limit number of lines
When you have a lot of lines to show, you can limit how many lines do you want to see using -n option.
In the following command it will display 3 lines starting from the current time and backwards.
2) Hide hostname/IP Address
Use -R option to hide hostname or ip address from printing.
3) Display hostname in last column
Sometimes it’s easy to print hostname or ip address at the last column. To do this, you can use -a option as shown below:
4) Print full login and logout time and dates
By default, last command won’t show full date and time. You can use -F option for this.
5) Search between specific dates
You can use -s (since) and -t (until) options to search logs between specific dates.
For example, the following command will print logs from 1st February to 1st May 2019.
6) Print specific user name
If you want to trace specific user, you can print it specifically. Put the name of user with last command.
Or if you want to know when reboot is done, you can also display it
7) Print specific tty/pts
Last can also print information about specific tty/pts. Just put the tty name or pty name behind the last command.
When you see down value in brackets, it means that the user was logged in from specific time until the system is reboot or shutdown.
8) Use another file than /var/log/wtmp
By default, last command will parse information from ‘/var/log/wtmp’. If you want the last command parse from another file, you can use -f parameter.
For example, you may rotate the log after a certain condition. Let’s say the previous file is named ‘/var/log/wtmp.1’ .
Then the last command will look as following:
9) Display the run level changes
There is -x option, if you want to display run level changes.
Here’s a sample output:
You can see that there are two entries of run level. Runlevel which has to lvl 3 entry means the system is running on full console mode. No active X Window or GUI. Meanwhile, when the system is shutdown, Linux us run level 0. That’s why last show you to lvl 0 entry.
To display the last shutdown date and time, use the following command:
10) View bad logins
While last command logs successful logins, then lastb command record failed login attempts. You must have root access to run lastb command. Lastb will parse information from /var/log/btmp.
Here’s a sample output from lastb command.
11) Display locahost IP address
With -d option (for non-local logins), linux stores not only the host name of the remote host but also its IP number.
12) Rotate wtmp logs
Since ‘/var/log/wtmp’ record every single log in activities, the size of the file may grow quickly. By default, Linux will rotate ‘/var/log/wtmp’ every month. The detail of rotation activity is put in /etc/logrotate.conf file.
Here’s the content of my ‘/etc/logrotate.conf’ file.
And for ‘/var/log/btmp’, here’s default configuration of rotate activity
Clear last command history
As we know that it writes to wtmp, so if we want to delete last history, then we can do it via
Conclusion
In this tutorial, we learned how to use last command in Linux to check logs from wtmp file. For more detail, please visit last manual page by typing man last on your console.
Last Command in Linux
Posted Feb 21, 2020
If you are managing a multiuser system, you’ll often need to know who, when, and from where logged into the machine.
last is a command-line utility that displays information about the last login sessions of the system users. It is very useful when you need to track user activity or investigate a possible security breach.
This article explains how to audit who logged into the system using the last command.
How to Use the last Command #
The syntax for the last command is as follows:
Each time a user logs into the system, a record for that session is written to the /var/log/wtmp file. last reads the file wtmp file and prints information about the logins and logouts of the users. Records are printed in reverse time order, starting from the most recent ones.
When last is invoked without any option or argument, the output looks something like this:
Each line of output contains the following columns from left to right:
- The user name. When the system reboots or shuts down, last shows the special users reboot and shutdown .
- The tty on which the session took place. :0 usually means that the user was logging in to a desktop environment.
- The IP address or the hostname from which the user logged in.
- The session start and stop times.
- The duration of the session. If the session is still active or the user didn’t logout, last will show information about that instead of the duration.
To restrict the output to a specific user or tty, pass the user name or tty as an argument to the last command:
You can also specify multiple usernames and ttys as arguments:
last Command Options #
last accepts several options that allow you to limit, format, and filter the output. In this section, we’ll cover the most common ones.
To specify the number of lines you’d like to be printed on the command line, pass the number preceded by a single hyphen to last . For example, to print only the last ten login sessions you would type:
With the -p ( —present ) option, you can find out who logged into the system on a specific date.
Use the -s ( —since ) and -t ( —until ) option to tell last to display the lines since or until the specified time. These two options are often used together to define a time interval for which you want the information to be retrieved. For example to display the login records from Feb 13 to Feb 18, you would run:
The time passed to the -p , -s and -t options can be specified in the following formats:
By default, last doesn’t show the seconds and the year. Use the -F , —fulltimes option to view full login and logout times and dates:
The -i ( —ip ) option forces last to always show IP address, and the -d ( —dns ) to show hostnames:
Conclusion #
The last command prints information about the users’ login and logout times. For more information about the command, type man last in your terminal.
If you have any questions, please leave a comment below.