lastcomm

Show previously executed commands

TLDR

Print information about all the commands in the acct (record file)

$ lastcomm

Display commands executed by a given user

$ lastcomm --user [user]

Display information about a given command executed on the system

$ lastcomm --command [command]

Display information about commands executed on a given terminal

$ lastcomm --tty [terminal_name]

SYNOPSIS

lastcomm [OPTION]... [COMMAND]...

-f, --file[=FILENAME]
    Read from FILENAME instead of default /var/account/pacct

--fields[=LIST]
    Select output fields (e.g., COMMAND,UID,CPU; see man page for list)

--help
    Display help message and exit

--strict-user-match
    Show only commands matching current real UID

--version
    Output version information and exit

DESCRIPTION

lastcomm is a utility that reads and displays information from the system process accounting file, typically /var/account/pacct or /var/log/account/pacct. It shows details about previously executed commands, including the command name, execution flags, user ID, group ID, terminal, host, CPU time, and start time.

Process accounting must be enabled via accton for records to be logged. Each entry corresponds to a terminated process, capturing resource usage and execution metadata. This is useful for auditing user activity, tracking resource consumption, and analyzing system usage patterns.

Output columns include: COMMAND (name), FLAGS (status like exit status), UID/GID (user/group IDs), TTY (terminal), HOST (origin), TIME (CPU time), START (start time). By default, it lists all entries in reverse chronological order (newest first).

Filtering by command name limits output to matching processes. It's non-interactive and lightweight, ideal for scripts or quick checks. Note that accounting files can grow large, so rotation is managed by ac or cron jobs.

lastcomm

Show previously executed commands

TLDR

SYNOPSIS

PARAMETERS

DESCRIPTION

CAVEATS

OUTPUT FORMAT

HISTORY

SEE ALSO