How to Use the Command 'last' (with Examples)

How to Use the Command 'last' (with Examples)

The last command is a useful and versatile tool available on Unix-like operating systems, primarily used to display information about the last logged-in users. It provides comprehensive login information, including details like username, terminal, and login time for all users. The command reads from the file /var/log/wtmp by default, which is the log file containing all login records. Through its various options and arguments, users can filter and customize the output to fit their specific requirements, making it a valuable tool for system administrators and security analysts monitoring user activity.

Use case 1: List login information of all users

Code:

last

Motivation:

This use case is essential for system administrators who need a quick overview of all user logins on a system. The command lists each user’s login history, showing valuable data such as login name, terminal used, remote hostname, IP address, login date, and duration of the session. It helps in tracking user activity and could be particularly useful in auditing and security checks.

Explanation:

  • The basic last command without any additional arguments fetches and displays login information for every user who has logged into the system.
  • By default, the output is sorted with the most recent logins displayed first.

Example output:

username   pts/0        203.0.113.0     Mon Sep 25 09:53   still logged in
username2  pts/2        203.0.113.1     Sat Sep 23 11:00   gone - no logout
reboot     system boot  5.15.0-64-generic Fri Sep 22 14:24 - 14:30  (00:06)

Use case 2: List login information of a specific user

Code:

last username

Motivation:

By narrowing down the logs to a specific user, administrators can closely monitor the login activities of an individual user. This can be critical for auditing purposes, understanding user behavior, or troubleshooting issues related to a specific user’s login patterns or irregularities.

Explanation:

  • username: Replace ‘username’ with the actual username you want to query. This argument filters the output to show the login history of that specific user only.

Example output:

username   pts/0        203.0.113.0     Mon Sep 25 09:53   still logged in
username   pts/0        192.168.0.15    Sun Sep 24 10:20 - 10:26  (00:06)

Use case 3: List information of a specific TTY

Code:

last tty1

Motivation:

This is useful when investigating incidents or issues specific to a given terminal interface. For instance, if there are disturbances or anomalies coming from terminal ’tty1’, using the last tty1 command allows an administrator to examine who was logged on to that terminal and when.

Explanation:

  • tty1: Replace ’tty1’ with the desired terminal identifier you want to look up. It queries the login history specific to the given terminal.

Example output:

username   tty1         :0               Sat Sep 23 11:00   gone - no logout

Use case 4: List most recent information

Code:

last | tac

Motivation:

Sometimes administrators need to quickly access the older login records without needing to manually scroll through the recent entries. The combination of last with tac reverses the order of entries, making this information readily accessible.

Explanation:

  • tac: The tac command reverses the input order of the arranged data from last, showing login entries beginning with the oldest. This is effective when you need to read from the oldest entries onwards.

Example output:

reboot     system boot  5.15.0-64-generic Fri Apr 22 14:24 - 14:30  (00:06)
username2  pts/2        203.0.113.1     Sat Apr 23 11:00   gone - no logout
username   pts/0        203.0.113.0     Mon Apr 25 09:53   still logged in

Use case 5: List information of system boots

Code:

last "system boot"

Motivation:

Monitoring system boot events is an essential task in managing system stability and identifying potential unplanned reboots or shutdowns. It provides insights necessary for ensuring system uptime and can indicate unauthorized reboots.

Explanation:

  • "system boot": Quoting ‘system boot’ instructs the last command to specifically show entries related to instances when the system was booted up, giving a clear history of when the system was restarted.

Example output:

reboot     system boot  5.15.0-64-generic Fri Sep 22 14:24 - 14:30  (00:06)
reboot     system boot  5.15.0-64-generic Wed Sep 20 13:04 - 14:24  (01:20)

Use case 6: List information with a specific timestamp format

Code:

last --time-format iso

Motivation:

Certain logs might require standardization of the time format for compatibility with other tools or reports. This functionality helps in managing the complexity associated with date-time formatting due to international standards.

Explanation:

  • --time-format iso: This option specifies that the time should be displayed in ISO 8601 format, which is commonly used for international date-time representation to maintain consistency across different regions.

Example output:

username   pts/0        203.0.113.0     2023-09-25T09:53:46 still logged in

Use case 7: List information since a specific time and date

Code:

last --since -7days

Motivation:

When conducting investigations, it may be crucial to focus the inquiry on a particular timeframe. For example, if there was an incident last week, analyzing user activity since the last seven days can provide relevant insights specific to that event.

Explanation:

  • --since -7days: This argument instructs last to filter out all logins that have occurred in the last seven days from the current date. It is a flexible way of slicing time for data analysis.

Example output:

username   pts/0        203.0.113.0     Tue Sep 19 17:22   still logged in
username2  pts/1        172.16.0.5      Mon Sep 18 21:15 - 21:45  (00:30)

Use case 8: List information of remote hosts

Code:

last --dns

Motivation:

When dealing with remote connections, identifying the hostname or IP address of clients can be vital for security auditing and troubleshooting network issues. This use case merges DNS resolutions into the listing entries, showing remote hosts’ names clearly if available.

Explanation:

  • --dns: By enabling this option, last resolves the hostnames for IP addresses in its records, displaying fully qualified domain names when available. This helps in human-friendly interpretation rather than raw numerical IP addresses.

Example output:

username   pts/0        host.example.com Mon Sep 25 09:53   still logged in

Conclusion:

The last command, with its myriad of options, serves as an efficient way to retrieve and analyze user log history and related system events. It offers administrators the flexibility to access precise and meaningful data that can aid in security audits, system administration, and troubleshooting tasks. Whether you need a general overview or specific details, understanding how to leverage each option can significantly improve your ability to manage and secure your systems.

Tags :

Related Posts

How to use the command 'hledger incomestatement' (with examples)

How to use the command 'hledger incomestatement' (with examples)

The hledger incomestatement command is a powerful tool within the hledger suite, a robust set of accounting programs and file formats that help individuals or organizations maintain financial records efficiently.

Read More
How to use the command 'now' (with examples)

How to use the command 'now' (with examples)

The ’now’ command was a versatile tool used for deploying projects to the cloud using the Zeit platform, which is now known as Vercel.

Read More
How to use the command 'pnmtosgi' (with examples)

How to use the command 'pnmtosgi' (with examples)

The pnmtosgi command is a tool from the Netpbm library that allows users to convert a Portable Any Map (PNM) image file into a Silicon Graphics Image (SGI) file.

Read More