show a listing of last logged in users
last [options] [username...] [tty...] lastb [options] [username...] [tty...]
last searches back through the /var/log/wtmp file (or the file desig‐ nated by the -f option) and displays a list of all users logged in (and out) since that file was created. One or more usernames and/or ttys can be given, in which case last will show only the entries matching those arguments. Names of ttys can be abbreviated, thus last 0 is the same as last tty0. When catching a SIGINT signal (generated by the interrupt key, usually control-C) or a SIGQUIT signal, last will show how far it has searched through the file; in the case of the SIGINT signal last will then ter‐ minate. The pseudo user reboot logs in each time the system is rebooted. Thus last reboot will show a log of all the reboots since the log file was created. lastb is the same as last, except that by default it shows a log of the /var/log/btmp file, which contains all the bad login attempts.
-a, --hostlast Display the hostname in the last column. Useful in combination with the --dns option. -d, --dns For non-local logins, Linux stores not only the host name of the remote host, but its IP number as well. This option translates the IP number back into a hostname. -f, --file file Tell last to use a specific file instead of /var/log/wtmp. The --file option can be given multiple times, and all of the speci‐ fied files will be processed. -F, --fulltimes Print full login and logout times and dates. -i, --ip Like --dns , but displays the host's IP number instead of the name. -number -n, --limit number Tell last how many lines to show. -p, --present time Display the users who were present at the specified time. This is like using the options --since and --until together with the same time. -R, --nohostname Suppresses the display of the hostname field. -s, --since time Display the state of logins since the specified time. This is useful, e.g., to easily determine who was logged in at a partic‐ ular time. The option is often combined with --until. -t, --until time Display the state of logins until the specified time. --time-format format Define the output timestamp format to be one of notime, short, full, or iso. The notime variant will not print any timestamps at all, short is the default, and full is the same as the --fulltimes option. The iso variant will display the timestamp in ISO-8601 format. The ISO format contains timezone informa‐ tion, making it preferable when printouts are investigated out‐ side of the system. -w, --fullnames Display full user names and domain names in the output. -x, --system Display the system shutdown entries and run level changes.
The options that take the time argument understand the following for‐ mats: YYYYMMDDhhmmss YYYY-MM-DD hh:mm:ss YYYY-MM-DD hh:mm (seconds will be set to 00) YYYY-MM-DD (time will be set to 00:00:00) hh:mm:ss (date will be set to today) hh:mm (date will be set to today, seconds to 00) now yesterday (time is set to 00:00:00) today (time is set to 00:00:00) tomorrow (time is set to 00:00:00) +5min -5days
The files wtmp and btmp might not be found. The system only logs in‐ formation in these files if they are present. This is a local configu‐ ration issue. If you want the files to be used, they can be created with a simple touch(1) command (for example, touch /var/log/wtmp).
The last command is part of the util-linux package and is available from Linux Kernel Archive ⟨https://www.kernel.org/pub/linux/utils/util- linux/⟩.
Miquel van Smoorenburg ⟨email@example.com⟩