lastcomm
displays information about previously executed commands from process
TLDR
Show recent commands
$ lastcomm
Show commands by user$ lastcomm [username]
Show specific command$ lastcomm --command [vim]
Show from specific file$ lastcomm -f [/var/account/pacct]
Show commands by terminal$ lastcomm --tty [pts/0]
SYNOPSIS
lastcomm [options] [user] [command] [terminal]
DESCRIPTION
lastcomm displays information about previously executed commands from process accounting data. It shows command name, flags, user, terminal, and execution time.
Process accounting must be enabled for lastcomm to have data. The accounting file is typically /var/account/pacct.
PARAMETERS
--command name
Filter by command name.--user name
Filter by user.--tty name
Filter by terminal.-f file
Use specific accounting file.--forwards
Show oldest first.--strict-match
Exact match only.--debug
Debug output.
OUTPUT FLAGS
$ S - Superuser (root) executed
F - Forked but didn't exec
D - Dumped core
X - Killed by signal
F - Forked but didn't exec
D - Dumped core
X - Killed by signal
ENABLING ACCOUNTING
$ # Enable accounting
sudo accton /var/account/pacct
# Disable accounting
sudo accton off
sudo accton /var/account/pacct
# Disable accounting
sudo accton off
CAVEATS
Requires process accounting enabled. Accounting adds system overhead. File grows continuously (rotate with sa). Not available on all systems.
HISTORY
lastcomm is part of the Unix process accounting system, dating back to early Unix. It provides historical tracking of executed commands, useful for auditing and troubleshooting.