lastlog

Display the most recent login of all users

$ lastlog

$ lastlog --user [username]

$ lastlog --before 7

$ lastlog --time 3

lastlog [-u | --user ] [-t | --time ]

-u, --user
    Display last login information for a specific user (username or UID).

-t, --time
    Display only entries newer than days days.

-b, --before
    Display only entries older than days days.

-C, --clear
    Clear the lastlog record. Requires root privileges.

The lastlog command is a utility used in Linux systems to display the most recent login information for all users or a specified user. It reads information from the /var/log/lastlog file, which is a database that stores the timestamp of the last time each user logged into the system. The output typically includes the username, port (tty), the host from which the user logged in, and the last login time. It is a valuable tool for system administrators to track user activity and identify potential security issues, such as unauthorized access or inactive accounts. Without arguments, lastlog displays information for all users. The -u option followed by a username or UID allows the display of a specific user's last login. If a user has never logged in, a message indicating this is displayed. Understanding the output of lastlog can assist in auditing user access and maintaining system security. The lastlog file can grow large on systems with many users.

The lastlog file can grow large and consume significant disk space on systems with many users. The lastlog file is updated only upon successful login; failed login attempts are not recorded. Requires root privileges to use the clear option.

The last login information is stored in the /var/log/lastlog file. This is a sparse file. Note that using /var/log/lastlog on networked home directories (NFS) may not work correctly.

Reading the lastlog file generally requires root privileges, though it may be readable by members of specific groups depending on system configuration. The -C option always requires root permissions.

The lastlog command has been a part of Unix-like operating systems for a long time. Its purpose is to provide a simple way to check the last login time of users on the system. Originally, it likely served as a basic tool for system administrators to monitor user activity. Over time, its functionality has remained relatively consistent, focusing on reporting information from the lastlog file. Its usage remains relevant for security auditing and account management.

login(1), w(1), who(1), utmp(5), btmp(5), faillog(8)