lastcomm

Print information about all the commands in the acct (record file)

$ lastcomm

$ lastcomm --user [user]

$ lastcomm --command [command]

$ lastcomm --tty [terminal_name]

lastcomm [options] [command...] [user...] [terminal...]

-n number
    Show only the first number of records.

-f file
    Read the accounting data from file instead of the default accounting file.

-i
    Display the I/O counts as well.

-p
    Display the process ID associated with each command.

-@
    Display the accounting record number.

[command...]
    Display records for the specified command(s).

[user...]
    Display records for the specified user(s).

[terminal...]
    Display records for the specified terminal(s).

The lastcomm command in Linux is used to display information about previously executed commands. It reads the accounting files (usually /var/log/pacct or /var/account/pacct) and reports the command name, the user who executed it, the CPU time used, and the time the command was executed. This tool is helpful for system administrators to monitor command usage, troubleshoot performance issues, and for security auditing.

Without any arguments, lastcomm will show information about all commands recorded in the accounting file. You can specify a user name, a terminal, or a command name as arguments to filter the output to only show records matching these criteria. Its efficiency is heavily dependent on the maintenance of the accounting logs; If logs rotate frequently or get corrupted the information displayed will be incomplete.

The accuracy of the output relies on the proper configuration and maintenance of the process accounting system. If process accounting is not enabled or is misconfigured, lastcomm will not provide useful information. The accounting file size must be managed to prevent excessive disk usage.

The location of the accounting file can vary depending on the system configuration. Common locations are /var/account/pacct, /var/log/pacct, or /usr/adm/pacct. The -f option is used to specify a different accounting file if the default location is not correct.

Process accounting must be enabled for lastcomm to function. This is typically done using the accton command. To enable accounting, you would typically run accton /var/account/pacct. To disable, use accton without arguments.

The lastcomm command has been a part of Unix-like systems for many years. It is a standard utility in most Linux distributions. Its primary function has remained consistent: to provide a means of examining past command executions for system administration and auditing purposes. Over time, minor features, such as displaying I/O counts, have been added, but the core functionality remains largely unchanged.

ac(1), sa(8), dump-acct(8)