Home

Linux last command - description and examples tutorial

The Linux last command usage is not only to view user's last login but it can be used to view user's activity in the system. Since all user's activity in the system is logged, last command will search that particular log file, it's /var/log/wtmp. Normal user with no special root privilege can also use last command. This is very interesting because normal user can monitor other user and system activities including root.

Let us see some examples. Issuing the Linux last command without any option displays:

    bill@slackware:~$ last
    bill     tty1                    Mon Apr 10 16:53   still logged in
    bill     tty1                    Mon Apr 10 16:47 - 16:53  (00:05)
    bill     tty1                    Mon Apr 10 16:20 - 16:47  (00:26)
    root     tty2                   Mon Apr 10 14:38   still logged in
    bill     tty1                     Mon Apr 10 13:38 - 16:20  (02:42)
    reboot   system boot  2.6.24.5-smp    Mon Apr 10 13:34    (03:34)
    root     tty1                          Fri Apr  7 18:25 - down   (00:15)
    reboot   system boot  2.6.24.5-smp     Fri Apr  7 18:24     (00:16)
    bill     tty4                          Thu Apr  6 14:21 - down   (04:09)
    reboot   system boot  2.6.24.5-smp     Thu Apr  6 14:20     (04:09)
    bill     tty4                          Thu Mar 23 12:25 - 12:25  (00:00)

    wtmp begins Wed Jan  4 15:27:32 2008

Isn't it interesting? We can see who's in the system now, in what terminal, times, date, system boot and reboot including kernel version.

The last command comes with several options to make system administrator task easier. Below are examples of what options regularly used with last command: 

    bill@slackware:~$ last tty1
    bill     tty1                          Mon Apr 10 16:53   still logged in
    bill     tty1                          Mon Apr 10 16:47 - 16:53  (00:05)
    bill     tty1                          Mon Apr 10 16:20 - 16:47  (00:26)
    bill     tty1                          Mon Apr 10 13:38 - 16:20  (02:42)
    root     tty1                          Fri Apr  7 18:25 - down   (00:15)

    wtmp begins Wed Jan  4 15:27:32 2008

Here we check what root has been doing recently:

    bill@slackware:~$ last root
    root      tty1                          Mon Apr 10 16:53   still logged in
    root      tty2                          Sun Apr 9 14:47 - 16:53  (02:06)
    root      tty1                          Mon Apr 10 16:20 - 16:47  (00:26)
    root      pts/0          :0             Mon Apr 10 13:38 - 16:20  (02:42)
    root      tty                          Fri Apr  7 18:25 - down   (00:15)

    wtmp begins Wed Jan  4 15:27:32 2008

Names of ttys can be abbreviated, thus last 2 is the same as last tty2.

    bill@slackware:~$ last 2
    root     tty2                          Mon Apr 10 14:38   still logged in
    root      tty2                          Sun Apr 9 14:47 - 16:53  (02:06)
    jadon    tty2                          Thu Mar  8 11:06 - 13:19  (02:12)
    jadon    tty2                          Thu Mar  8 11:05 - 11:06  (00:01)
    jadon    tty2                          Mon Jan 23 10:42 - 11:04  (00:22)
    bill     tty2                          Mon Jan 16 12:57 - 13:34  (00:36)
    bill     tty2                          Thu Jan  5 14:01 - 17:17  (03:15)
    bill     tty2                          Thu Jan  5 10:27 - down   (01:38)
    bill     tty2                          Thu Jan  5 10:22 - 10:22  (00:00)
                                                                   
    wtmp begins Wed Jan  4 15:27:32 2008

The Programmer's manual can be viewed by issuing a 'man last' command in the terminal. Here's the complete manual page for the Linux last command:

NAME
last, lastb - show listing of last logged in users

SYNOPSIS
last [-R] [-num] [ -n num ] [-adiox] [ -f file ] [ -t YYYYMMDDHHMMSS ] [name...] [tty...]
lastb [-R] [-num] [ -n num ] [ -f file ] [ -t YYYYMMDDHHMMSS ] [-adiox] [name...] [tty...]  

DESCRIPTION
Last searches back through the file /var/log/wtmp (or the file designated by 
the -f flag) and displays a list of all users logged in (and out) since that file 
was created. Names of users and tty's can be given, in which case last will 
show only those entries matching the arguments. Names of ttys can be 
abbreviated, thus last 0 is the same as last tty0.

When last catches a SIGINT signal (generated by the interrupt key, usually 
control-C) or a SIGQUIT signal (generated by the quit key, usually control-\),
last will show how far it has searched through the file; in the case of the 
SIGINT signal last will then terminate.

The pseudo user reboot logs in each time the system is rebooted. Thus last 
reboot will show a log of all reboots since the log file was created.

Lastb is the same as last, except that by default it shows a log of the file 
/var/log/btmp, which contains all the bad login attempts. 

OPTIONS

-num
    This is a count telling last how many lines to show. 
-n num
    The same. 
-t YYYYMMDDHHMMSS
    Display the state of logins as of the specified time. This is useful, e.g., to 
    determine easily who was logged in at a particular time -- specify that 
    time with -t and look for "still logged in". 

-R
    Suppresses the display of the hostname field. 
-a
    Display the hostname in the last column. Useful in combination with the 
     next flag. 
-d
    For non-local logins, Linux stores not only the host name of the remote 
    host but its IP number as well. This option translates the IP number back 
    into a hostname. 
-i
    This option is like -d in that it displays the IP number of the remote host, 
    but it displays the IP number in numbers-and-dots notation. 
-o
    Read an old-type wtmp file (written by linux-libc5 applications). 
-x
    Display the system shutdown entries and run level changes. 

 
SEE ALSO
shutdown(8), login(1), init(8)

Back to Linux basic commands main page.

»