LinuxCommandLibrary

lastlog

Report the most recent user logins

TLDR

Display the most recent login of all users

$ lastlog
copy

Display the lastlog record of the specified user
$ lastlog --user [username]
copy

Display records older than 7 days
$ lastlog --before 7
copy

Display records more recent than 3 days
$ lastlog --time 3
copy

SYNOPSIS

lastlog [options] [username …]

PARAMETERS

-b, --before=DIR
    Directory for lastlog file (default: /var/log)

-d, --strict-mode
    Show only existing records (skip missing)

-f, --fields=FIELDS
    Fields to show: time,tty,host,rhost,id (comma-separated)

-H, --print-header
    Print column header line

-h, --help
    Display usage help

-s, --since=DATE
    Show entries since date (date(1) format)

-t, --recent-first
    Sort by login time, newest first

-u, --user=USER
    Limit to specific user or UID

-V, --version
    Print version info

DESCRIPTION

The lastlog command reads the system lastlog file, usually at /var/log/lastlog, to show the most recent login details for users. This binary file maintains a fixed-size record (typically 152 bytes) for each user ID (UID) from 0 up to the system's maximum, recording fields like login timestamp, terminal device (TTY), remote hostname (rhost), and IP address. It helps administrators audit login history, identify inactive accounts, or spot suspicious activity.

By default, lastlog lists entries for all users with login records, sorted by UID, showing columns for username, TTY, remote host, and login time (in local timezone). Entries for users who never logged in appear blank or are skipped with options. The file is updated by login programs like login(1) or PAM modules during interactive sessions, but may miss non-login shells (e.g., sudo, cron).

On modern Linux, the file is sparse to conserve space despite supporting millions of UIDs. Output is human-readable, with dates formatted via strftime. Filtering by user, date range, or fields makes it efficient for targeted queries.

CAVEATS

/var/log/lastlog can be huge (sparse file); reading all entries slow on large UID ranges. Not updated for all logins (e.g., sudo, SSH without PAM). Root-only access typical. Blank entries for never-logged users unless -d. Timezone-dependent output.

DEFAULT OUTPUT COLUMNS

Username
TTY (terminal)
Remote host/IP
Login time (local)

FILE FORMAT

Fixed 152-byte records per UID: struct lastlog with tv_sec/usec, line[32], llhost[64], addr[4/16]. Sparse on ext4/XFS.

HISTORY

Originated in 4.2BSD (1983) for login accounting. Linux version in util-linux package since ~1992; format standardized in POSIX.1-2008 for lastlog(5). Evolved with PAM integration.

SEE ALSO

last(1), lastb(1), utmpdump(1), w(1), lastlog(5)

Copied to clipboard