last
Show user login/logout history
TLDR
View last login infromation (e.g., username, terminal, boot time, kernel) of all users as read from /var/log/wtmp
List login information of a specific user
Specify how many of the last logins to show
Print the full date and time for entries and then display the hostname column last to prevent truncation
View all logins by a specific user and show the IP address instead of the hostname
List information since a specific time and date
View all recorded reboots (i.e., the last logins of the pseudo user "reboot")
Display help
SYNOPSIS
last [options] [username...] [tty...]
last -f file [options] [username...] [tty...]
PARAMETERS
-a or --hostlast
Display the hostname in the last column. This is often the default behavior.
-f file or --file file
Specify an alternative file (e.g., an archived wtmp file) to read instead of the default /var/log/wtmp.
-F or --fulltimes
Print full login and logout times and dates, including the year and seconds.
-h or --nohostname
Do not display the hostname field in the output.
-i or --ip
Display the IP address in numerical form rather than attempting to resolve it to a hostname.
-n number or --limit number
Limit the output to the specified number of lines/entries.
-p or --present
Display the current time and state of the system, useful for seeing how long the system has been up or when the current users logged in.
-R or --nosamehost
Do not display the hostname field if the user logged in from the current host.
-s time or --since time
Display entries starting from the specified time. Time can be absolute (e.g., 'YYYY-MM-DD HH:MM:SS') or relative (e.g., 'now - 1day').
-t time or --until time
Display entries up to the specified time. Similar time format to -s.
-w or --fullnames
Display full usernames and tty names, without truncation.
-x or --system
Display run level changes and shutdown entries, in addition to user logins. This is often included by default but ensures their display.
--time-format format
Control the format of the timestamps in the output. Common formats include notime, short, full, and iso.
DESCRIPTION
The last command displays a listing of all users logged in (and out) since the wtmp file was created. By default, it reads from the /var/log/wtmp file, which records all login and logout events, system reboots, and runlevel changes. Each entry typically shows the username, the terminal (tty) they logged in from, the hostname if remote, the start time, the end time, and the duration of the session. If the session is still active or the system crashed, it will show 'still logged in' or 'down until crash'.
This command is invaluable for system administrators to audit user activity, track system uptime, and investigate security incidents by reviewing who accessed the system and when. It can filter results by specific users, terminals, or time ranges, providing a powerful tool for historical analysis of system access.
CAVEATS
The accuracy and completeness of the last command's output are entirely dependent on the integrity and existence of the wtmp file, typically located at /var/log/wtmp. If this file is corrupted, truncated, or rotated (e.g., by logrotate) without preserving older entries, the historical data will be incomplete or misleading.
It's important to note that last does not show currently logged-in users; for that, use commands like who or w. Additionally, log entries can potentially be faked or removed by an attacker with root privileges, compromising audit trails.
DATA SOURCE
By default, last reads login/logout records from the /var/log/wtmp file. This file stores a continuous log of user logins and logouts, system boots and shutdowns, and runlevel changes. The wtmp file is a binary file and should not be edited manually, as doing so can corrupt its contents.
FAILED LOGINS
The related command lastb (often a symbolic link to last with the -f /var/log/btmp option) is specifically used to display a list of bad (failed) login attempts. It reads its data from the /var/log/btmp file. This functionality is crucial for identifying brute-force attacks or unauthorized access attempts on a system.
HISTORY
The last command has been a fundamental utility in Unix-like operating systems for many decades, providing a straightforward yet powerful way to review system login history. Its functionality is intrinsically linked to the wtmp file (and btmp for lastb), which is a binary log file maintained by the system to record login, logout, system boot, and shutdown events.
The concept of recording such events dates back to early Unix versions, with wtmp being a standard mechanism. While the core functionality of last has remained consistent over time, modern implementations have introduced enhancements such as flexible time filtering (with -s and -t) and customizable output formatting (with --time-format) to significantly improve its utility for system administrators and security auditors. Its continued relevance highlights the ongoing importance of auditing user access and system events for security and operational insights.