How Linux Who & Last Command Helps for Root Cause Analysis

May 2, 2011 | By
| 1 Reply More

The last command is very important in linux as it helps in doing root cause analysis of the linux system. Assume that something is changed in the linux system, in this situation you are not sure who has made the changes. Using the 'last' command you can identify who logged in at the particular time when the changes were made.

1) Shows the last logged in user's details

Here, you can see that the last user who logged in to the system was the root user, and it also shows the location from where the root user logged in and at what time.

The last command reads the /var/log/wtmp file and displays a list of all users who logged in and logged out since that file was created.

[root@mailserver ~]# last
root pts/0 192.168.1.100 Fri Jun 22 01:52 still logged in
root tty1 Fri Jun 22 01:50 still logged in
reboot system boot 2.6.9-103.ELsmp Fri Jun 22 01:48 (00:04)

2) Avoid hostname / IP address

If you use the last command with –R option, it ignores the Hostname or IP field.

[root@mailserver ~]# last -R
root pts/1 Fri Jun 22 01:58 still logged in
root pts/0 Fri Jun 22 01:52 still logged in
root tty1 Fri Jun 22 01:50 still logged in
reboot system boot Fri Jun 22 01:48 (00:09)

3) Reorder hostname

with –a option, it displays the hostname in the last column.

[root@mailserver ~]# last -a
root pts/1 Fri Jun 22 01:58 still logged in 192.168.1.100
root pts/0 Fri Jun 22 01:52 still logged in 192.168.1.100

4) Display locahost IP address

with –d option (for non-local logins) , linux stores not only the host name of the remote host but also its IP number.

[root@mailserver ~]# last -d
root pts/1 192.168.1.100 Fri Jun 22 01:58 still logged in
root pts/0 192.168.1.100 Fri Jun 22 01:52 still logged in

5) Runlevel and shutdown log

Use the –x option to display the system shutdown entries and run level changes.

[root@mailserver ~]# last -x
root pts/1 192.168.1.100 Fri Jun 22 01:58 still logged in
root pts/0 192.168.1.100 Fri Jun 22 01:52 still logged in
root tty1 Fri Jun 22 01:50 still logged in
runlevel (to lvl 3) 2.6.9-103.ELsmp Fri Jun 22 01:48 - 02:03 (00:14)
reboot system boot 2.6.9-103.ELsmp Fri Jun 22 01:48 (00:14)
shutdown system down 2.6.9-103.ELsmp Thu Jun 21 02:05 - 02:03 (23:57)
runlevel (to lvl 0) 2.6.9-103.ELsmp Thu Jun 21 02:05 - 02:05 (00:00)

To display the last shutdown date and time, use the following command:

#last -x|grep shutdown | head -1

6) Display last reboot and users

Use the command below to display a list of last logged in users and the system's last rebooting time and date.

#last reboot | less
Or
#last reboot | head -1

Linux Who Command

The 'who' command is used for knowing who is currently logged in the system. This is a very useful command for the system admin. If the system admin wants to shutdown the linux system, he has to make sure that no one is using the system at that time. So, he can confirm this by using the who command.

1) From where who logged in

Here, you can see who logged in and from where they logged in by using the command provided above.

[root@mailserver ~]# who
root tty1 Jun 22 01:50
root pts/0 Jun 22 01:52 (192.168.1.100)
root pts/1 Jun 22 01:58 (192.168.1.100)

2) Display Last boot time

with –b option, you can find time of the last system boot.

[root@mailserver ~]# who -b
system boot Jun 22 01:48

3) Name and number of users logged in

With –q option, you can find all login names, number of users who logged on, as well as the number of counts.

[root@mailserver ~]# who -q
root root root
# users=3

4) Display User with associated machine name

with –m option and –H, only the hostname and user associated with stdin and print line of column headings are displayed.

[root@mailserver ~]# who -mH
NAME LINE TIME COMMENT
root pts/1 Jun 22 01:58 (192.168.1.100)

5) Display current run level

with –r option, you can print the current runlevel.

[root@mailserver ~]# who -r
run-level 3 Jun 22 01:48 last=S

Filed Under : LINUX HOWTO, TROUBLESHOOTING

Tagged With :

Free Linux Ebook to Download

Comments (1)

Trackback URL | Comments RSS Feed

  1. Now that is some fantastic writing.

Leave a Reply

All comments are subject to moderation.