Linux last command - description and examples tutorial

The Linux last command usage is not only to view user's last login but it can be used to view user's activity in the system. Since all user's activity in the system is logged, last command will search that particular log file, it's /var/log/wtmp. Normal user with no special root privilege can also use last command. This is very interesting because normal user can monitor other user and system activities including root.

Let us see some examples. Issuing the Linux last command without any option displays:

bill@slackware:~$ last
bill tty1 Mon Apr 10 16:53 still logged in
bill tty1 Mon Apr 10 16:47 - 16:53 (00:05)
bill tty1 Mon Apr 10 16:20 - 16:47 (00:26)
root tty2 Mon Apr 10 14:38 still logged in
bill tty1 Mon Apr 10 13:38 - 16:20 (02:42)
reboot system boot 2.6.24.5-smp Mon Apr 10 13:34 (03:34)
root tty1 Fri Apr 7 18:25 - down (00:15)
reboot system boot 2.6.24.5-smp Fri Apr 7 18:24 (00:16)
bill tty4 Thu Apr 6 14:21 - down (04:09)
reboot system boot 2.6.24.5-smp Thu Apr 6 14:20 (04:09)
bill tty4 Thu Mar 23 12:25 - 12:25 (00:00)

wtmp begins Wed Jan 4 15:27:32 2008

Isn't it interesting? We can see who's in the system now, in what terminal, times, date, system boot and reboot including kernel version.

The last command comes with several options to make system administrator task easier. Below are examples of what options regularly used with last command:

bill@slackware:~$ last tty1
bill tty1 Mon Apr 10 16:53 still logged in
bill tty1 Mon Apr 10 16:47 - 16:53 (00:05)
bill tty1 Mon Apr 10 16:20 - 16:47 (00:26)
bill tty1 Mon Apr 10 13:38 - 16:20 (02:42)
root tty1 Fri Apr 7 18:25 - down (00:15)

wtmp begins Wed Jan 4 15:27:32 2008

Here we check what root has been doing recently:

bill@slackware:~$ last root
root tty1 Mon Apr 10 16:53 still logged in
root tty2 Sun Apr 9 14:47 - 16:53 (02:06)
root tty1 Mon Apr 10 16:20 - 16:47 (00:26)
root pts/0 :0 Mon Apr 10 13:38 - 16:20 (02:42)
root tty Fri Apr 7 18:25 - down (00:15)

wtmp begins Wed Jan 4 15:27:32 2008

Names of ttys can be abbreviated, thus last 2 is the same as last tty2.

bill@slackware:~$ last 2
root tty2 Mon Apr 10 14:38 still logged in
root tty2 Sun Apr 9 14:47 - 16:53 (02:06)
jadon tty2 Thu Mar 8 11:06 - 13:19 (02:12)
jadon tty2 Thu Mar 8 11:05 - 11:06 (00:01)
jadon tty2 Mon Jan 23 10:42 - 11:04 (00:22)
bill tty2 Mon Jan 16 12:57 - 13:34 (00:36)
bill tty2 Thu Jan 5 14:01 - 17:17 (03:15)
bill tty2 Thu Jan 5 10:27 - down (01:38)
bill tty2 Thu Jan 5 10:22 - 10:22 (00:00)

wtmp begins Wed Jan 4 15:27:32 2008

The Programmer's manual can be viewed by issuing a 'man last' command in the terminal. Here's the complete manual page for the Linux last command:

NAME
last, lastb - show listing of last logged in users

SYNOPSIS
last [-R] [-num] [ -n num ] [-adiox] [ -f file ] [ -t YYYYMMDDHHMMSS ] [name...] [tty...]
lastb [-R] [-num] [ -n num ] [ -f file ] [ -t YYYYMMDDHHMMSS ] [-adiox] [name...] [tty...]

DESCRIPTION
Last searches back through the file /var/log/wtmp (or the file designated by
the -f flag) and displays a list of all users logged in (and out) since that file
was created. Names of users and tty's can be given, in which case last will
show only those entries matching the arguments. Names of ttys can be
abbreviated, thus last 0 is the same as last tty0.

When last catches a SIGINT signal (generated by the interrupt key, usually
control-C) or a SIGQUIT signal (generated by the quit key, usually control-\),
last will show how far it has searched through the file; in the case of the
SIGINT signal last will then terminate.

The pseudo user reboot logs in each time the system is rebooted. Thus last
reboot will show a log of all reboots since the log file was created.

Lastb is the same as last, except that by default it shows a log of the file
/var/log/btmp, which contains all the bad login attempts.

OPTIONS

-num
This is a count telling last how many lines to show.
-n num
The same.
-t YYYYMMDDHHMMSS
Display the state of logins as of the specified time. This is useful, e.g., to
determine easily who was logged in at a particular time -- specify that
time with -t and look for "still logged in".

-R
Suppresses the display of the hostname field.
-a
Display the hostname in the last column. Useful in combination with the
next flag.
-d
For non-local logins, Linux stores not only the host name of the remote
host but its IP number as well. This option translates the IP number back
into a hostname.
-i
This option is like -d in that it displays the IP number of the remote host,
but it displays the IP number in numbers-and-dots notation.
-o
Read an old-type wtmp file (written by linux-libc5 applications).
-x
Display the system shutdown entries and run level changes.

SEE ALSO
shutdown(8), login(1), init(8)

Back to Linux basic commands main page.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.