Oct 14, 2023 4 min read

Last Command in Linux

Explore last command in linux with our step-by-step tutorial. It shows information about the system user's most recent login sessions.

Last Command in Linux
Table of Contents

Introduction

Before we start discussing about last command in linux, let's first understand-What is a Last Command ?

last is a command-line utility that shows information about the system user's most recent login sessions. It comes in handy when you need to keep track of user activity or look into a probable security breach.

If you're in charge of a multiuser system, you'll frequently need to know who logged in, when, and from where.

In this tutorial, you will learn to audit who logged into the system and when using the last command.

How to Use the last Command

The following is the syntax for the last command:

last [OPTIONS] [USER] [<TTY>...]

A record for each session is written to the /var/log/wtmp file each time a user signs in. last examines the wtmp file and outputs information about the users' logins and logouts. Records are printed in reverse chronological sequence, beginning with the most recent.

When last is called without any options or arguments, the result is as follows:

mark     pts/0        10.10.0.7   Mon March 28 10:23   still logged in
mark     pts/0        10.10.0.7   Tue March 22 22:34 - 00:05  (01:31)
lisa     :0           :0          Thu March 17 09:19   gone - no logout
reboot   system boot  4.15.0-74-g Fri Feb 25 08:03 - 08:03  (00:00)
...

From left to right, each line of output has the following columns:

  • The name of the user. Last command shows the special users reboot and shutdown when the system reboots or shuts down.
  • The tty on which the session occurred. :0 indicates that the user was logging into a desktop environment.
  • The hostname or IP address from which the user logged in.
  • The start and end times of the session.
  • Session duration. It will display information about the session instead of the duration if it is still ongoing or if the user has not logged out.

Pass the user name or tty as an input to the last command to limit the output to a specific user or tty:

last mark
last pts/0

Multiple users and ttys can also be specified as arguments:

last mark root pts/0

last Command Options

last accepts a number of options for limiting, formatting, and filtering the output. We'll go over the most prevalent ones in this section.

Pass a number preceded by a single hyphen to last to specify the number of lines you'd want to be printed on the command line. To print only the latest ten login sessions, for example, type:

last -10

You may find out who logged into the system on a certain day using the -p (--present) option.

last -p 2020-01-15

Last can be told to display lines since or until a certain time using the -s (--since) and -t (--until) options. These two parameters are frequently combined to provide a time interval during which information should be retrieved. For example, to see the login records from March 16 to March 28, type:

last -s 2020-03-16 -t 2020-03-28

The following formats can be used to provide the time passed to the -p, -s, and -t options:

Output

YYYYMMDDhhmmss
YYYY-MM-DD hh:mm:ss
YYYY-MM-DD hh:mm     (seconds will be set to 00)
YYYY-MM-DD           (time will be set to 00:00:00)
hh:mm:ss             (date will be set to today)
hh:mm                (date will be set to today, seconds to 00)
now
yesterday            (time is set to 00:00:00)
today                (time is set to 00:00:00)
tomorrow             (time is set to 00:00:00)
+5min
-5days

Last does not display the seconds or the year by default. To see full login and logout times and dates, use the -F, --fulltimes option:

last -F

The -i (--ip) option forces last to always display the IP address, while the-d (--dns) option forces last to display hostnames:

last -i

FAQs of Last Command in Linux

How do I use the last command to view past logins?

To view past logins with last, simply run the command without any arguments. It will display a list of recently logged-in users, including login times and durations.

Where does the last command retrieve its information from?

The last command reads the /var/log/wtmp file, which contains information about user logins, logouts, and system events.

Can last show the login history of a specific user?

Yes, you can use the last command followed by a username as an argument to display the login history of a specific user. For example, last username displays the login history of the user with the specified username.

How can I view the system shutdown and reboot events with last?

You can use the last command with the -x option to view system shutdown and reboot events. For example, last -x displays the system shutdown/reboot history.

Can the last command display login timestamps in a specific time zone?

Yes, you can use the -f option followed by the time zone argument to adjust the displayed timestamps in a specific time zone. For example, last -f /var/log/wtmp -t UTC displays timestamps in the UTC time zone.

What does the last command display under the "wtmp begins" entry?

The "wtmp begins" entry in the last command's output indicates when the wtmp log file was initialized, providing the starting point for the logged data.

Can I limit the number of lines displayed by the last command?

Yes, you can use the -n option followed by a number to limit the number of lines displayed by the last command. For example, last -n 10 displays the last 10 entries only.

Conclusion

The last command displays information on the login and logout times of the users. In your terminal, type man last for further information about the command.

If you have any queries, please leave a comment below and we’ll be happy to respond to them.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to DevOps Tutorials - VegaStack.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.