lastcomm

Print information about all the commands in the acct (record file)

$ lastcomm

$ lastcomm --user [user]

$ lastcomm --command [command]

$ lastcomm --tty [terminal_name]

lastcomm [options] [command...] [user...] [terminal...]

-b
    Reads the accounting file backward, processing the newest entries first.

-f file
    Specifies an alternative process accounting file to read instead of the default.

-p
    Displays the total CPU time spent on each command matching the criteria.

-s
    Shows only the total number of commands matching the specified criteria.

-t
    Prints only the CPU time, exit status, and command name for each entry.

command...
    One or more command names to filter the output by. Only entries matching these commands will be shown. This argument can also be provided with --command.

user...
    One or more usernames to filter the output by. Only entries run by these users will be shown. This argument can also be provided with --user.

terminal...
    One or more TTY (terminal) names to filter the output by. Only entries from these terminals will be shown. This argument can also be provided with --tty.

--strict-match
    Treats command, user, or terminal arguments as exact matches, not substrings.

--debug
    Enables verbose debug output.

--help
    Displays a help message and exits.

--version
    Outputs version information and exits.

lastcomm reports information about previously executed commands, reading its data from the system's process accounting file. This file, often located at /var/log/account/pacct or /var/account/pacct, is generated by the kernel when process accounting is enabled. For each recorded command, lastcomm typically displays the command name, the user who executed it, the terminal (TTY) it originated from (if applicable), the total CPU time consumed, and the command's exit status. It serves as a valuable tool for system auditing, understanding system usage patterns, and investigating past activity, providing insights into which commands were run, by whom, and with what resource consumption.

For lastcomm to function, the process accounting system must be enabled on the Linux kernel, typically managed by the acct or psacct package. If accounting is not active, the /var/log/account/pacct file (or its equivalent) will not be populated, and lastcomm will have no data to display. The accounting file can grow significantly, and it's common for system administrators to configure log rotation for it, which means older command history might be archived or deleted. The command only logs information upon process termination, and it does not record command-line arguments, only the command name itself. Data can also be incomplete if the accounting service was temporarily stopped or if the system experienced an unclean shutdown.

For lastcomm to function, the Linux kernel's process accounting feature must be active. This is typically achieved by installing and running the acct or psacct package (depending on your distribution), which ensures that process termination records are written to the /var/log/account/pacct file or its configured alternative.

The standard output of lastcomm includes several fields:
Command Name: The name of the executed command.
Flags: Special flags like 'S' for superuser, 'F' for forked but not exec'd, 'D' for terminated with a core dump.
User: The username of the process's effective user ID.
TTY: The terminal from which the command was executed (if applicable).
CPU Time: The total CPU time (user + system) consumed by the process.
Start Time: The timestamp when the command was recorded (upon exit).

lastcomm is a component of the GNU accounting utilities (often found in the acct or psacct package on Linux distributions), which have roots in classic Unix system administration. These utilities were historically crucial for system resource management and billing in multi-user computing environments. While their original billing purpose has largely diminished, lastcomm and its companions remain vital tools for system auditing, security analysis, and understanding historical command execution patterns on a server.

accton(8), sa(8), dump-acct(8), last(1)