How to use the command 'last' (with examples)
The last
command is an essential utility in Unix-based systems used to track user access and activity through listings of recent logins. It parses information from the /var/log/wtmp
file, which records various system logs including user logins, logouts, system boots, and shutdowns. This command proves invaluable for system administrators and IT security professionals who want to monitor user activities, track downtime, or simply audit access to the system.
Use case 1: Viewing the Last Logins with Duration and Additional Information
Code:
last
Motivation:
The primary motivation for using this example is to quickly ascertain which users have accessed the system recently, along with the duration of their sessions. This knowledge is vital for ensuring that no unauthorized access has occurred while providing data analytics for user activity tracking.
Explanation:
last
: Invoking thelast
command without any additional options displays a comprehensive list of all users who have logged into the system. This list includes user names, terminal names, IP addresses or hostnames, login times and duration, and more. The command utilizes the/var/log/wtmp
file to compile this information.
Example Output:
username pts/0 192.168.1.10 Mon Oct 10 14:00 still logged in
username pts/1 192.168.1.15 Mon Oct 10 13:50 - 14:10 (00:20)
Use case 2: Specifying the Number of Last Logins to Show
Code:
last -n 5
Motivation:
System administrators often need a succinct overview of user access without being overwhelmed by too much information. Limiting output to a specified number of entries focuses on the most recent activities, facilitating a manageable data set for quick review.
Explanation:
-n
: This option is followed by a numeric value, specifying how many lines of login records should be displayed.5
: This numeric argument tellslast
to output only the five most recent entries, making it easier to view recent activities without sifting through excessive data.
Example Output:
username pts/0 192.168.1.10 Mon Oct 10 14:00 still logged in
username pts/1 192.168.1.15 Mon Oct 10 13:50 - 14:10 (00:20)
...
(3 more entries follow with recent login detail)
Use case 3: Printing Full Date and Time with Hostname Last
Code:
last -F -a
Motivation:
In scenarios requiring precise temporal information for audits or analyses, it’s vital to have the full date and time represented rather than abbreviations. Simultaneously, moving the hostname column to the end prevents visual truncation, ensuring all information is visible.
Explanation:
-F
: This argument ensures the full date and time is shown for each record, providing detailed temporal data for each login.-a
: This option appends the hostname at the end of each record to prevent it from being cut off in the console view.
Example Output:
username pts/0 Fri Oct 13 2023 13:00 - 14:20 (01:20) 192.168.1.10
username pts/1 Fri Oct 13 2023 12:30 still logged in 192.168.1.15
Use case 4: Viewing Logins by Specific User with IP Address
Code:
last username -i
Motivation:
System administrators may need to track activities attributed to specific users to ensure compliance with security protocols or to investigate suspicious behaviors. Displaying the IP addresses instead of hostnames offers more precise network identification, which is critical when enforcing audit trails.
Explanation:
username
: Replace this placeholder with the actual username to filter the login records only for this particular user.-i
: This option replaces hostnames with IP addresses, providing more specific details about the connection source.
Example Output:
username pts/0 192.168.1.10 Mon Oct 10 14:00 still logged in
username pts/1 192.168.1.15 Mon Oct 10 12:00 - 13:00 (01:00)
Use case 5: Viewing All Recorded Reboots
Code:
last reboot
Motivation:
Tracking system reboots is crucial for maintaining insights into system availability and diagnosing potential hardware or software issues. Frequent reboots might indicate underlying problems requiring attention.
Explanation:
reboot
: Specifying “reboot” as the argument makes the command list all instances when the system was rebooted, drawing from the pseudo user record for “reboot.”
Example Output:
reboot system boot 5.4.0-42-generic Mon Oct 10 10:00 still running
reboot system boot 5.4.0-42-generic Sun Oct 09 22:30 - 23:50 (01:20)
Use case 6: Viewing All Recorded Shutdowns
Code:
last shutdown
Motivation:
This use case is beneficial for understanding the planned or unintentional shutdown events that could impact service availability. Analyzing shutdown logs can assist in correlating with crash reports or user complaints about downtime.
Explanation:
shutdown
: By using “shutdown” as the argument,last
will output logs of every system shutdown event, referencing the pseudo user “shutdown.”
Example Output:
shutdown system down 5.4.0-42-generic Sun Oct 09 23:50 - 10:00 (10:10)
shutdown system down 5.4.0-42-generic Mon Oct 08 18:00 - 19:00 (01:00)
Conclusion:
The last
command is a versatile tool crucial for auditing and maintenance within Unix-based environments. Through various arguments, it provides comprehensive insights into user activities, system reboots, and shutdowns. By tailoring outputs to individual needs, system administrators effectively manage and secure system environments, maintaining optimal operational efficiency.