lastcomm
Show previously executed commands
TLDR
Print information about all the commands in the acct (record file)
Display commands executed by a given user
Display information about a given command executed on the system
Display information about commands executed on a given terminal
SYNOPSIS
lastcomm [options] [command...] [user...] [terminal...]
PARAMETERS
-n number
Show only the first number of records.
-f file
Read the accounting data from file instead of the default accounting file.
-i
Display the I/O counts as well.
-p
Display the process ID associated with each command.
-@
Display the accounting record number.
[command...]
Display records for the specified command(s).
[user...]
Display records for the specified user(s).
[terminal...]
Display records for the specified terminal(s).
DESCRIPTION
The lastcomm
command in Linux is used to display information about previously executed commands. It reads the accounting files (usually /var/log/pacct
or /var/account/pacct
) and reports the command name, the user who executed it, the CPU time used, and the time the command was executed. This tool is helpful for system administrators to monitor command usage, troubleshoot performance issues, and for security auditing.
Without any arguments, lastcomm
will show information about all commands recorded in the accounting file. You can specify a user name, a terminal, or a command name as arguments to filter the output to only show records matching these criteria. Its efficiency is heavily dependent on the maintenance of the accounting logs; If logs rotate frequently or get corrupted the information displayed will be incomplete.
CAVEATS
The accuracy of the output relies on the proper configuration and maintenance of the process accounting system. If process accounting is not enabled or is misconfigured, lastcomm
will not provide useful information. The accounting file size must be managed to prevent excessive disk usage.
ACCOUNTING FILE
The location of the accounting file can vary depending on the system configuration. Common locations are /var/account/pacct
, /var/log/pacct
, or /usr/adm/pacct
. The -f option is used to specify a different accounting file if the default location is not correct.
ENABLING PROCESS ACCOUNTING
Process accounting must be enabled for lastcomm
to function. This is typically done using the accton
command. To enable accounting, you would typically run accton /var/account/pacct
. To disable, use accton
without arguments.
HISTORY
The lastcomm
command has been a part of Unix-like systems for many years. It is a standard utility in most Linux distributions. Its primary function has remained consistent: to provide a means of examining past command executions for system administration and auditing purposes. Over time, minor features, such as displaying I/O counts, have been added, but the core functionality remains largely unchanged.