LinuxCommandLibrary

last

Show user login/logout history

TLDR

View last login infromation (e.g., username, terminal, boot time, kernel) of all users as read from /var/log/wtmp

$ last
copy

List login information of a specific user
$ last [username]
copy

Specify how many of the last logins to show
$ last [[-n|--limit]] [login_count]
copy

Print the full date and time for entries and then display the hostname column last to prevent truncation
$ last [[-F|--fulltimes]] [[-a|--hostlast]]
copy

View all logins by a specific user and show the IP address instead of the hostname
$ last [username] [[-i|--ip]]
copy

List information since a specific time and date
$ last [[-s|--since]] [-7days]
copy

View all recorded reboots (i.e., the last logins of the pseudo user "reboot")
$ last reboot
copy

Display help
$ last [[-h|--help]]
copy

SYNOPSIS

last [options] [username...] [tty...]
last -f file [options] [username...] [tty...]

PARAMETERS

-a or --hostlast
    Display the hostname in the last column. This is often the default behavior.

-f file or --file file
    Specify an alternative file (e.g., an archived wtmp file) to read instead of the default /var/log/wtmp.

-F or --fulltimes
    Print full login and logout times and dates, including the year and seconds.

-h or --nohostname
    Do not display the hostname field in the output.

-i or --ip
    Display the IP address in numerical form rather than attempting to resolve it to a hostname.

-n number or --limit number
    Limit the output to the specified number of lines/entries.

-p or --present
    Display the current time and state of the system, useful for seeing how long the system has been up or when the current users logged in.

-R or --nosamehost
    Do not display the hostname field if the user logged in from the current host.

-s time or --since time
    Display entries starting from the specified time. Time can be absolute (e.g., 'YYYY-MM-DD HH:MM:SS') or relative (e.g., 'now - 1day').

-t time or --until time
    Display entries up to the specified time. Similar time format to -s.

-w or --fullnames
    Display full usernames and tty names, without truncation.

-x or --system
    Display run level changes and shutdown entries, in addition to user logins. This is often included by default but ensures their display.

--time-format format
    Control the format of the timestamps in the output. Common formats include notime, short, full, and iso.

DESCRIPTION

The last command displays a listing of all users logged in (and out) since the wtmp file was created. By default, it reads from the /var/log/wtmp file, which records all login and logout events, system reboots, and runlevel changes. Each entry typically shows the username, the terminal (tty) they logged in from, the hostname if remote, the start time, the end time, and the duration of the session. If the session is still active or the system crashed, it will show 'still logged in' or 'down until crash'.

This command is invaluable for system administrators to audit user activity, track system uptime, and investigate security incidents by reviewing who accessed the system and when. It can filter results by specific users, terminals, or time ranges, providing a powerful tool for historical analysis of system access.

CAVEATS

The accuracy and completeness of the last command's output are entirely dependent on the integrity and existence of the wtmp file, typically located at /var/log/wtmp. If this file is corrupted, truncated, or rotated (e.g., by logrotate) without preserving older entries, the historical data will be incomplete or misleading.

It's important to note that last does not show currently logged-in users; for that, use commands like who or w. Additionally, log entries can potentially be faked or removed by an attacker with root privileges, compromising audit trails.

DATA SOURCE

By default, last reads login/logout records from the /var/log/wtmp file. This file stores a continuous log of user logins and logouts, system boots and shutdowns, and runlevel changes. The wtmp file is a binary file and should not be edited manually, as doing so can corrupt its contents.

FAILED LOGINS

The related command lastb (often a symbolic link to last with the -f /var/log/btmp option) is specifically used to display a list of bad (failed) login attempts. It reads its data from the /var/log/btmp file. This functionality is crucial for identifying brute-force attacks or unauthorized access attempts on a system.

HISTORY

The last command has been a fundamental utility in Unix-like operating systems for many decades, providing a straightforward yet powerful way to review system login history. Its functionality is intrinsically linked to the wtmp file (and btmp for lastb), which is a binary log file maintained by the system to record login, logout, system boot, and shutdown events.

The concept of recording such events dates back to early Unix versions, with wtmp being a standard mechanism. While the core functionality of last has remained consistent over time, modern implementations have introduced enhancements such as flexible time filtering (with -s and -t) and customizable output formatting (with --time-format) to significantly improve its utility for system administrators and security auditors. Its continued relevance highlights the ongoing importance of auditing user access and system events for security and operational insights.

SEE ALSO

who(1), w(1), users(1), lastb(1), utmp(5), lastlog(8)

Copied to clipboard