Using the `last` Command (with examples)

Using the `last` Command (with examples)

The last command is used to view information about the last logged in users on a Linux system. It reads the /var/log/wtmp file, which contains information about system reboots, user logins, and system shutdowns. The last command provides a simple way to track user activity and identify who has accessed the system.

Viewing last logins

Using the last command without any options will display a list of the last logged in users, their duration of session, and the recorded login/logout times. It pulls this information from the /var/log/wtmp file.

$ last

Motivation: This use case is helpful for system administrators who want to get a quick overview of the users who have recently accessed the system. It allows them to identify any suspicious logins or keep track of user activity.

Explanation: The last command without any options retrieves the default output, which includes the username, terminal (or remote host), date, and duration of each login session.

Example Output:

username   pts/0        Mon Oct 25 12:30   still logged in
username   tty1         Mon Oct 25 09:45   still logged in

Specifying the number of logins to show

You can specify the number of last logins to display using the -n option, followed by the desired number of logins. For example, to show the last 5 logins, use the following command:

$ last -n 5

Motivation: By specifying the number of logins to show, you can limit the output to a specific number of entries, making it easier to analyze recent user activity.

Explanation: The -n option is used to specify the number of lines to display. In the above example, we use -n 5 to limit the output to the 5 most recent logins.

Example Output:

username   pts/0        Mon Oct 25 12:30   still logged in
username   tty1         Mon Oct 25 09:45   still logged in
username   pts/1        Sun Oct 24 20:15 - 21:00  (00:45)
username   pts/0        Sun Oct 24 19:30 - 20:00  (00:30)
username   pts/0        Sun Oct 24 18:45 - 19:00  (00:15)

Printing full date and time with hostname column last

To print the full date and time for each login entry and display the hostname column last to prevent truncation, use the -F and -a options together.

$ last -F -a

Motivation: By default, the last command displays the hostname column first, which may be truncated if the hostname is long. This can make it difficult to read the full output. By using the -F and -a options, you can ensure that the entire hostname is displayed without truncation.

Explanation: The -F option prints the full date and time for each entry, and the -a option displays the hostname column last.

Example Output:

username   pts/0     Mon Oct 25 12:30:00 2021   still logged in    192.168.1.10
username   tty1      Mon Oct 25 09:45:00 2021   still logged in

Viewing all logins by a specific user and showing IP address

To view all logins by a specific user and display the IP address instead of the hostname, use the username as an argument followed by the -i option.

$ last username -i

Motivation: This use case is helpful for monitoring a specific user’s login activity and identifying any suspicious or unauthorized logins. By showing the IP address instead of the hostname, you can gather additional information about the source of the login.

Explanation: The username is provided as an argument to the last command, and the -i option is used to display the IP address instead of the hostname.

Example Output:

username   pts/0        Mon Oct 25 12:30   still logged in    192.168.1.10
username   tty1         Mon Oct 25 09:45   still logged in

Viewing recorded reboots

To view all recorded reboots, which are essentially the last logins of the pseudo user “reboot”, use the reboot argument.

$ last reboot

Motivation: This use case is useful for checking the history of system reboots and identifying the last system reboot time. It can be helpful for troubleshooting and tracking system availability.

Explanation: Using the reboot argument with the last command specifically filters the output to show only the logins of the pseudo user “reboot”, which represents system reboots.

Example Output:

reboot        system boot    Mon Oct 25 10:00

Viewing recorded shutdowns

To view all recorded shutdowns, which are essentially the last logins of the pseudo user “shutdown”, use the shutdown argument.

$ last shutdown

Motivation: This use case allows you to check the history of system shutdowns, providing information about the time and date of the last shutdown. By monitoring shutdown events, you can keep track of system downtime and identify any unexpected or improper shutdowns.

Explanation: The shutdown argument is passed to the last command, which retrieves the logins of the pseudo user “shutdown”.

Example Output:

shutdown      system down    Mon Oct 25 09:30

In conclusion, the last command is a powerful tool for viewing information about the last logged in users on a Linux system. By using the different options and arguments, you can customize the output to meet your specific needs, such as tracking user activity, monitoring system reboots, or identifying shutdown events.

Tags :

Related Posts

How to use the command 'gcloud components update' (with examples)

How to use the command 'gcloud components update' (with examples)

This article provides examples of how to use the ‘gcloud components update’ command to update Google Cloud CLI components.

Read More
How to use the command phpmd (with examples)

How to use the command phpmd (with examples)

PHP Mess Detector (phpmd) is a command line tool that analyzes PHP code and detects potential problems or signs of poor code quality.

Read More
How to use the command bluetoothctl (with examples)

How to use the command bluetoothctl (with examples)

Bluetoothctl is a command-line tool for managing Bluetooth devices. It allows users to interact with the Bluetooth device manager and perform various operations such as pairing, connecting, and removing devices.

Read More