Linux Last Command with Examples

Linux last command is used to check previously logged in user into your server. This command is very important in Linux as it helps for the audit trail. Assume that something is changed in the Linux system, in this situation you are not sure who has made the changes. Using the 'last' command you can identify who logged in at a particular time.

Last command displays a list of all user logged in and out from '/var/log/wtmp' since the file was created. Wtmp is a log file that captures and records every login and logout event. This is a binary file that cannot view by any text editors. This trick is pretty smart because any user or root can not modify the file as they want.

Last command gives you information about the name of all users logged in, tty, IP Address (if the user doing a remote connection) date/time, and how long the user logged in.

How to run Last command

You just need to type 'last' on your console.

Here’s the sample:

$ last

leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)
pungki tty1 Mon Dec 2 09:31 still logged in
reboot system boot 2.6.32-358.23.2 Mon Dec 2 09:20 - 13:25 (04:05)

Here’s how to read last information:

The first column - name of the user who has logged in.

The second column - give us information about how the user is connected ( via pts or tty). Exception for reboot activity the status will be shown as 'system boot'.

The third column - shows where the user connected from. If the user connect from remote computer, you will see a hostname or an IP Address. If you see :0.0 or nothing it means that the user is connect via local terminal. Exception for reboot activity, the kernel version will be shown as the status.

The remaining columns - displays login time and data stamp when the log activity has happened. Numbers in the bracket tell us how many hours and minutes the connection was happened.

pts (pseudo terminal) - means that the user connect via remote connections such as SSH or telnet.
tty (teletypewriter) - means that the user connect via direct connection to the computer or local terminal.

1) Limit number of lines

When you have a lot of lines to show, you can limit how many lines do you want to see using -n option.

In the following command it will display 3 lines starting from the current time and backwards.

$ last -n 3

leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)
pungki tty1 Mon Dec 2 09:31 still logged in
reboot system boot 2.6.32-358.23.2 Mon Dec 2 09:20 - 13:25 (04:05)

2) Hide hostname/IP Address

Use -R option to hide hostname or ip address from printing.

Sample output

$ last -R

leni pts/0 Mon Dec 2 12:32 - 13:25 (00:53)
pungki tty1 Mon Dec 2 09:31 still logged in
reboot system boot Mon Dec 2 09:20 - 13:25 (04:05)

3) Display hostname in last column

Sometime its easy to print hostname or ip address at the last column. To do this, you can use -a option as shown below:

$ last -a

leni pts/0 Mon Dec 2 12:32 - 13:25 (00:53) 10.0.76.162
pungki tty1 Mon Dec 2 09:31 still logged in :0.0
reboot system boot Mon Dec 2 09:20 - 13:25 (04:05) 2.6.32-358.23.2.el6.i686

4) Print full login and logout time and dates

By default, last command wont show full date and time. You can use -F option for this.

Here’s a sample:

$ last -F

leni pts/0 10.0.76.162 Mon Dec 2 12:32:24 2013 - Mon Dec 2013 13:25:24 2013 (00:53)

5) Search between specific dates

You can use -s (since) and -t (until) options to search logs between specific dates.

For example, the following command will print logs from 1st Februvary to 1st May 2019.

$sudo last -F -s 2019-02-01 -t 2019-05-01

6) Print specific user name

If you want to trace specific user, you can print it specifically. Put the name of user with last command.

$ last leni

leni tty1 Mon Dec 2 18-42 still logged in
leni pts/0 Mon Dec 2 12:32 - 13:25 (00:53) 10.0.76.162

Or if you want to know when reboot is done, you can also display it

$ last reboot

reboot system boot Mon Dec 2 09:20 - 16:55 (07:34)
reboot system boot Sun Dec 1 04:26 - 04:27 (00:01)
reboot system boot Wed Nov 27 20:27 - 01:24 (04:57)
reboot system boot Tue Nov 26 21:06 - 06:13 (09:06)

7) Print specific tty/pts

Last can also print information about specific tty/pts. Just put the tty name or pty name behind the last command.

Sample outputs:

$ last tty1

pungki tty1 Mon Dec 2 09:31 still logged in
pungki tty1 Mon Dec 2 04:26 - down (00:00)
pungki tty1 Mon Dec 2 04:07 - down (00:00)
pungki tty1 Sun Dec 1 18:55 - 04:07 (09:12)

$ last pts/0

leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)
pungki pts/0 :0.0 Wed Nov 27 20:28 - down (04:56)

When you see down value in brackets, it means that the user was logged in from specific time until the system is reboot or shutdown.

8) Use another file than /var/log/wtmp

By default, last command will parse information from '/var/log/wtmp'. If you want the last command parse from another file, you can use -f parameter.

For example, you may rotate the log after a certain condition. Let’s say the previous file is named '/var/log/wtmp.1' .

Then the last command will look as following:

$ last -f /var/log/wtmp.1

9) Display the run level changes

There is -x option, if you want to display run level changes.

Here’s a sample output:

pungki tty1 Mon Dec 2 19:21 still logged in
runlevel (to lvl 3) 2.6.32-358.23.2 Mon Dec 2 19:20 - 19:29 (00:08)
reboot system boot 2.6.32-358.23.2 Mon Dec 2 19:20 - 19:29 (00:08)
shutdown system down 2.6.32-358.23.2 Mon Dec 2 18:56 - 19:20 (00:23)
runlevel (to lvl 0) 2.6.32-358.23.2 Mon Dec 2 18:56 - 18:56 (00:00)
leni tty1 Mon Dec 2 18:42 - down (00:00)

You can see that there are two entries of run level. Runlevel which has to lvl 3 entry means the system is running on full console mode. No active X Window or GUI. Meanwhile, when the system is shutdown, Linux us run level 0. That’s why last show you to lvl 0 entry.

To display the last shutdown date and time, use the following command:

#last -x | grep shutdown | head -1

10) View bad logins

While last command logs successful logins, then lastb command record failed login attempts. You must have root access to run lastb command. Lastb will parse information from /var/log/btmp.

Here’s a sample output from lastb command.

# lastb

leni tty1 Mon Dec 2 22:12 - 22:12 (00:00)
rahma tty1 Mon Dec 2 22:11 - 22:11 (00:00)

11) Display locahost IP address

With -d option (for non-local logins), linux stores not only the host name of the remote host but also its IP number.

# last -d
root pts/1 192.168.1.100 Fri Jun 22 01:58 still logged in
root pts/0 192.168.1.100 Fri Jun 22 01:52 still logged in

12) Rotate wtmp logs

Since '/var/log/wtmp' record every single log in activities, the size of the file may grow quickly. By default, Linux will rotate '/var/log/wtmp' every month. The detail of rotation activity is put in /etc/logrotate.conf file.

Here’s the content of my '/etc/logrotate.conf' file.

/var/log/wtmp {
monthly
create 0664 root umtp
minsize 1M
rotate 1
}

And for '/var/log/btmp', here’s default configuration of rotate activity

/var/log/btmp {
missingok
monthly
create 0600 root umtp
minsize 1M
rotate 1
}

Clear last command history

As we know that it writes to wtmp, so if we want to delete last history, then we can do it via

#> /var/log/wtmp

Or

#> /var/log/lastlog

Conclusion

In this tutorial we learned how to use last command in linux to check logs from wtmp file. For more detail, please visit last manual page by typing man last on your console.

Pungki Arianto 6:38 pm

Comments

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.