Introduction
Before we start discussing about last command in linux, let's first understand-What is a Last Command ?
last
is a command-line utility that shows information about the system user's most recent login sessions. It comes in handy when you need to keep track of user activity or look into a probable security breach.
If you're in charge of a multiuser system, you'll frequently need to know who logged in, when, and from where.
In this tutorial, you will learn to audit who logged into the system and when using the last
command.
How to Use the last
Command
The following is the syntax for the last
command:
last [OPTIONS] [USER] [<TTY>...]
A record for each session is written to the /var/log/wtmp
file each time a user signs in. last
examines the wtmp
file and outputs information about the users' logins and logouts. Records are printed in reverse chronological sequence, beginning with the most recent.
When last
is called without any options or arguments, the result is as follows:
mark pts/0 10.10.0.7 Mon March 28 10:23 still logged in
mark pts/0 10.10.0.7 Tue March 22 22:34 - 00:05 (01:31)
lisa :0 :0 Thu March 17 09:19 gone - no logout
reboot system boot 4.15.0-74-g Fri Feb 25 08:03 - 08:03 (00:00)
...
From left to right, each line of output has the following columns:
- The name of the user.
Last
command shows the special usersreboot
andshutdown
when the system reboots or shuts down. - The tty on which the session occurred.
:0
indicates that the user was logging into a desktop environment. - The hostname or IP address from which the user logged in.
- The start and end times of the session.
- Session duration. It will display information about the session instead of the duration if it is still ongoing or if the user has not logged out.
Pass the user name or tty as an input to the last
command to limit the output to a specific user or tty:
last mark
last pts/0
Multiple users and ttys can also be specified as arguments:
last mark root pts/0
last
Command Options
last
accepts a number of options for limiting, formatting, and filtering the output. We'll go over the most prevalent ones in this section.
Pass a number preceded by a single hyphen to last
to specify the number of lines you'd want to be printed on the command line. To print only the latest ten login sessions, for example, type:
last -10
You may find out who logged into the system on a certain day using the -p
(--present
) option.
last -p 2020-01-15
Last
can be told to display lines since or until a certain time using the -s
(--since
) and -t
(--until
) options. These two parameters are frequently combined to provide a time interval during which information should be retrieved. For example, to see the login records from March 16 to March 28, type:
last -s 2020-03-16 -t 2020-03-28
The following formats can be used to provide the time passed to the -p
, -s
, and -t
options:
Output
YYYYMMDDhhmmss
YYYY-MM-DD hh:mm:ss
YYYY-MM-DD hh:mm (seconds will be set to 00)
YYYY-MM-DD (time will be set to 00:00:00)
hh:mm:ss (date will be set to today)
hh:mm (date will be set to today, seconds to 00)
now
yesterday (time is set to 00:00:00)
today (time is set to 00:00:00)
tomorrow (time is set to 00:00:00)
+5min
-5days
Last
does not display the seconds or the year by default. To see full login and logout times and dates, use the -F
, --fulltimes
option:
last -F
The -i
(--ip
) option forces last
to always display the IP address, while the-d
(--dns
) option forces last
to display hostnames:
last -i
FAQs of Last Command in Linux
How do I use the last
command to view past logins?
To view past logins with last
, simply run the command without any arguments. It will display a list of recently logged-in users, including login times and durations.
Where does the last
command retrieve its information from?
The last
command reads the /var/log/wtmp
file, which contains information about user logins, logouts, and system events.
Can last
show the login history of a specific user?
Yes, you can use the last
command followed by a username as an argument to display the login history of a specific user. For example, last username
displays the login history of the user with the specified username.
How can I view the system shutdown and reboot events with last
?
You can use the last
command with the -x
option to view system shutdown and reboot events. For example, last -x
displays the system shutdown/reboot history.
Can the last
command display login timestamps in a specific time zone?
Yes, you can use the -f
option followed by the time zone argument to adjust the displayed timestamps in a specific time zone. For example, last -f /var/log/wtmp -t UTC
displays timestamps in the UTC time zone.
What does the last
command display under the "wtmp begins" entry?
The "wtmp begins" entry in the last
command's output indicates when the wtmp
log file was initialized, providing the starting point for the logged data.
Can I limit the number of lines displayed by the last
command?
Yes, you can use the -n
option followed by a number to limit the number of lines displayed by the last
command. For example, last -n 10
displays the last 10 entries only.
Conclusion
The last
command displays information on the login and logout times of the users. In your terminal, type man last
for further information about the command.
If you have any queries, please leave a comment below and we’ll be happy to respond to them.