lastlog

Display the most recent login of all users

$ lastlog

$ lastlog --user [username]

$ lastlog --before 7

$ lastlog --time 3

lastlog [options]

-b, --before DAYS
    Display lastlog records older than the specified number of DAYS. Days can be an integer.

-C, --clear
    Clear a user's lastlog entry. This option requires the --user option to specify the user. This operation is typically reserved for root.

-h, --help
    Display a help message and exit, showing available options and usage.

-R, --root CHROOT_DIR
    Apply changes in the specified CHROOT_DIR directory. This is useful for managing user accounts in a chroot environment.

-t, --time DAYS
    Display lastlog records newer than the specified number of DAYS. Days can be an integer.

-u, --user LOGIN
    Display the lastlog record for the specified user LOGIN. This option accepts either a username or a numeric user ID (UID).

-V, --version
    Display version information for the lastlog command and exit.

The lastlog command displays the most recent login information for all users, or for a specified user, on the system. It reads data from the /var/log/lastlog file, a sparse file that efficiently stores the last login date, time, and location (tty and host) for each user account. This utility is invaluable for system administrators to audit user activity, identify dormant accounts, or monitor for suspicious login patterns. While it only shows the last login, it provides a quick overview of who has accessed the system recently and from where. Its output can be filtered by time or user, offering flexibility in reviewing login data.

The lastlog file (/var/log/lastlog) only stores the most recent login for each user; it does not provide a historical record of all logins. For a complete login history, refer to the last(1) command. The accuracy of the information depends on login services correctly updating the lastlog file upon successful authentication. If a service does not update this file, the information might be outdated or incomplete. Clearing a lastlog entry with --clear should be used with caution, as it permanently removes the last login record for the specified user.

The lastlog command primarily retrieves its data from the binary file located at /var/log/lastlog. This file is specifically designed as a sparse file, meaning it only allocates actual disk space for user IDs that have logged in, making it exceptionally efficient for systems managing a large number of user accounts, even if only a fraction of them are active.

The entries in the /var/log/lastlog file are typically updated by login programs and services, such as login(1), sshd(8), and getty(8), immediately after a user successfully authenticates and logs into the system. This automatic update mechanism ensures that the last recorded login time for each user is always current and accurate, reflecting their most recent access to the system.

The concept of tracking user login times is a fundamental aspect of Unix-like operating systems for auditing and security purposes. The lastlog utility and its associated /var/log/lastlog file have been a standard component of these systems for many decades, providing a simple yet efficient mechanism to store the most recent login data for each user. Its design as a sparse file helps conserve disk space, making it scalable for systems with a large number of user accounts. It is typically part of the shadow-utils package on many modern Linux distributions, highlighting its role in system security and user account management.

last(1), w(1), who(1), utmp(5), login(1)