Linux Last Command - Records User Logins And Last Reboots

January 2, 2013 | By
| Reply More

Linux is a powerhouse of console commands and last is of the many gems that have some great use in system administration. Last searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since that file was created. Names of users and tty's can be given, in which case last will show only those entries matching the arguments. Names of ttys can be abbreviated, thus last 0 is the same as last tty0.

When last catches a SIGINT signal (generated by the interrupt key, usually control-C) or aSIGQUIT signal (generated by the quit key, usually control-\), last will show how far it has searched through the file; in the case of the SIGINT signal last will then terminate.

The pseudo user reboot logs in each time the system is rebooted. Thus last reboot will show a log of all reboots since the log file was created.

[root@localhost ~]# last reboot
reboot system boot 2.6.32-279.14.1. Wed Dec 19 07:41 - 07:44 (00:03)
reboot system boot 2.6.32-279.14.1. Tue Dec 18 08:37 - 07:44 (23:07)
reboot system boot 2.6.32-279.14.1. Fri Dec 14 09:08 - 07:44 (4+22:36)
reboot system boot 2.6.32-279.14.1. Thu Dec 13 08:49 - 07:44 (5+22:54)
reboot system boot 2.6.32-279.5.2.e Thu Dec 6 03:33 - 05:17 (01:43)
reboot system boot 2.6.32-279.5.2.e Fri Nov 30 03:51 - 04:58 (01:07)
wtmp begins Thu Sep 6 11:38:08 2012

or

[root@localhost ~]# last reboot | head -1
reboot system boot 2.6.32-279.14.1. Wed Dec 19 07:41 - 07:47 (00:06)
we can also check the shutdown info like :
[root@localhost ~]# last shutdown
wtmp begins Thu Sep 6 11:38:08 2012

More Examples

To list all user id login successfully

# last

To list all user id failed login

# lastb

To list all ip address

# last -R

or

# lastb –R

A Real life scenario

How to use 'last' command to list users logged in during past few days. For example if i want to get the list of users logged in (and might be logged out after some time) from 15th Dec 2006 to 14th April 2007

last | sed -n '/Apr[ ]*14/,/Dec[ ]*15/p' | sed '/Dec[ ]*15/d'

How To clear last command history

As we know that it writes to wtmp ,so if we want to delete last history, then we can do it via

#> /var/log/wtmp

Or

#> /var/log/lastlog

Filed Under : HOWTOS, LINUX HOWTO

Free Linux Ebook to Download

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.