show a listing of last logged in users
last [options] [username...] [tty...]
lastb [options] [username...] [tty...]
last searches back through the /var/log/wtmp file (or the file designated by the -f option) and displays a list of all users logged in (and out) since that file was created. One or more usernames and/or ttys can be given, in which case last will show only the entries matching those arguments. Names of ttys can be abbreviated, thus last 0 is the same as last tty0.
When catching a SIGINT signal (generated by the interrupt key, usually control-C) or a SIGQUIT signal, last will show how far it has searched through the file; in the case of the SIGINT signal last will then terminate.
The pseudo user reboot logs in each time the system is rebooted. Thus last reboot will show a log of all the reboots since the log file was created.
lastb is the same as last, except that by default it shows a log of the /var/log/btmp file, which contains all the bad login attempts.
- -a, --hostlast
Display the hostname in the last column. Useful in combination with the --dns option.
- -d, --dns
For non-local logins, Linux stores not only the host name of the remote host, but its IP number as well. This option translates the IP number back into a hostname.
- -f, --file file
Tell last to use a specific file instead of /var/log/wtmp. The --file option can be given multiple times, and all of the specified files will be processed.
- -F, --fulltimes
Print full login and logout times and dates.
- -i, --ip
Like --dns , but displays the host's IP number instead of the name.
-n, --limit number
Tell last how many lines to show.
- -p, --present time
Display the users who were present at the specified time. This is like using the options --since and --until together with the same time.
- -R, --nohostname
Suppresses the display of the hostname field.
- -s, --since time
Display the state of logins since the specified time. This is useful, e.g., to easily determine who was logged in at a particular time. The option is often combined with --until.
- -t, --until time
Display the state of logins until the specified time.
- --time-format format
Define the output timestamp format to be one of notime, short, full, or iso. The notime variant will not print any timestamps at all, short is the default, and full is the same as the --fulltimes option. The iso variant will display the timestamp in ISO-8601 format. The ISO format contains timezone information, making it preferable when printouts are investigated outside of the system.
- -w, --fullnames
Display full user names and domain names in the output.
- -x, --system
Display the system shutdown entries and run level changes.
The options that take the time argument understand the following formats:
|YYYY-MM-DD hh:mm||(seconds will be set to 00)|
|YYYY-MM-DD||(time will be set to 00:00:00)|
|hh:mm:ss||(date will be set to today)|
|hh:mm||(date will be set to today, seconds to 00)|
|yesterday||(time is set to 00:00:00)|
|today||(time is set to 00:00:00)|
|tomorrow||(time is set to 00:00:00)|
The files wtmp and btmp might not be found. The system only logs information in these files if they are present. This is a local configuration issue. If you want the files to be used, they can be created with a simple touch(1) command (for example, touch /var/log/wtmp).
The last command is part of the util-linux package and is available from Linux Kernel Archive.