How to Use the Command 'last' (with Examples)
- Linux
- December 17, 2024
The last
command is a useful and versatile tool available on Unix-like operating systems, primarily used to display information about the last logged-in users. It provides comprehensive login information, including details like username, terminal, and login time for all users. The command reads from the file /var/log/wtmp
by default, which is the log file containing all login records. Through its various options and arguments, users can filter and customize the output to fit their specific requirements, making it a valuable tool for system administrators and security analysts monitoring user activity.
Use case 1: List login information of all users
Code:
last
Motivation:
This use case is essential for system administrators who need a quick overview of all user logins on a system. The command lists each user’s login history, showing valuable data such as login name, terminal used, remote hostname, IP address, login date, and duration of the session. It helps in tracking user activity and could be particularly useful in auditing and security checks.
Explanation:
- The basic
last
command without any additional arguments fetches and displays login information for every user who has logged into the system. - By default, the output is sorted with the most recent logins displayed first.
Example output:
username pts/0 203.0.113.0 Mon Sep 25 09:53 still logged in
username2 pts/2 203.0.113.1 Sat Sep 23 11:00 gone - no logout
reboot system boot 5.15.0-64-generic Fri Sep 22 14:24 - 14:30 (00:06)
Use case 2: List login information of a specific user
Code:
last username
Motivation:
By narrowing down the logs to a specific user, administrators can closely monitor the login activities of an individual user. This can be critical for auditing purposes, understanding user behavior, or troubleshooting issues related to a specific user’s login patterns or irregularities.
Explanation:
username
: Replace ‘username’ with the actual username you want to query. This argument filters the output to show the login history of that specific user only.
Example output:
username pts/0 203.0.113.0 Mon Sep 25 09:53 still logged in
username pts/0 192.168.0.15 Sun Sep 24 10:20 - 10:26 (00:06)
Use case 3: List information of a specific TTY
Code:
last tty1
Motivation:
This is useful when investigating incidents or issues specific to a given terminal interface. For instance, if there are disturbances or anomalies coming from terminal ’tty1’, using the last tty1
command allows an administrator to examine who was logged on to that terminal and when.
Explanation:
tty1
: Replace ’tty1’ with the desired terminal identifier you want to look up. It queries the login history specific to the given terminal.
Example output:
username tty1 :0 Sat Sep 23 11:00 gone - no logout
Use case 4: List most recent information
Code:
last | tac
Motivation:
Sometimes administrators need to quickly access the older login records without needing to manually scroll through the recent entries. The combination of last
with tac
reverses the order of entries, making this information readily accessible.
Explanation:
tac
: Thetac
command reverses the input order of the arranged data fromlast
, showing login entries beginning with the oldest. This is effective when you need to read from the oldest entries onwards.
Example output:
reboot system boot 5.15.0-64-generic Fri Apr 22 14:24 - 14:30 (00:06)
username2 pts/2 203.0.113.1 Sat Apr 23 11:00 gone - no logout
username pts/0 203.0.113.0 Mon Apr 25 09:53 still logged in
Use case 5: List information of system boots
Code:
last "system boot"
Motivation:
Monitoring system boot events is an essential task in managing system stability and identifying potential unplanned reboots or shutdowns. It provides insights necessary for ensuring system uptime and can indicate unauthorized reboots.
Explanation:
"system boot"
: Quoting ‘system boot’ instructs thelast
command to specifically show entries related to instances when the system was booted up, giving a clear history of when the system was restarted.
Example output:
reboot system boot 5.15.0-64-generic Fri Sep 22 14:24 - 14:30 (00:06)
reboot system boot 5.15.0-64-generic Wed Sep 20 13:04 - 14:24 (01:20)
Use case 6: List information with a specific timestamp format
Code:
last --time-format iso
Motivation:
Certain logs might require standardization of the time format for compatibility with other tools or reports. This functionality helps in managing the complexity associated with date-time formatting due to international standards.
Explanation:
--time-format iso
: This option specifies that the time should be displayed in ISO 8601 format, which is commonly used for international date-time representation to maintain consistency across different regions.
Example output:
username pts/0 203.0.113.0 2023-09-25T09:53:46 still logged in
Use case 7: List information since a specific time and date
Code:
last --since -7days
Motivation:
When conducting investigations, it may be crucial to focus the inquiry on a particular timeframe. For example, if there was an incident last week, analyzing user activity since the last seven days can provide relevant insights specific to that event.
Explanation:
--since -7days
: This argument instructslast
to filter out all logins that have occurred in the last seven days from the current date. It is a flexible way of slicing time for data analysis.
Example output:
username pts/0 203.0.113.0 Tue Sep 19 17:22 still logged in
username2 pts/1 172.16.0.5 Mon Sep 18 21:15 - 21:45 (00:30)
Use case 8: List information of remote hosts
Code:
last --dns
Motivation:
When dealing with remote connections, identifying the hostname or IP address of clients can be vital for security auditing and troubleshooting network issues. This use case merges DNS resolutions into the listing entries, showing remote hosts’ names clearly if available.
Explanation:
--dns
: By enabling this option,last
resolves the hostnames for IP addresses in its records, displaying fully qualified domain names when available. This helps in human-friendly interpretation rather than raw numerical IP addresses.
Example output:
username pts/0 host.example.com Mon Sep 25 09:53 still logged in
Conclusion:
The last
command, with its myriad of options, serves as an efficient way to retrieve and analyze user log history and related system events. It offers administrators the flexibility to access precise and meaningful data that can aid in security audits, system administration, and troubleshooting tasks. Whether you need a general overview or specific details, understanding how to leverage each option can significantly improve your ability to manage and secure your systems.