last Command in Linux: Check Login History

By 

Dejan Panovski

Updated on

6 min read

last Command

If you are managing a multiuser system, you will often need to know who, when, and from where logged into the machine.

last is a command-line utility that displays information about the last login sessions of the system users. It is very useful when you need to track user activity or investigate a possible security breach.

This article explains how to audit who logged into the system using the last command.

How to Use the last Command

The syntax for the last command is as follows:

txt
last [OPTIONS] [USER] [<TTY>...]

Each time a user logs into the system, a record for that session is written to the /var/log/wtmp file. last reads the wtmp file and prints information about the logins and logouts of the users. Records are printed in reverse time order, starting from the most recent ones.

When last is invoked without any option or argument, the output looks something like this:

output
mark     pts/0        10.10.0.7   Fri Feb 21 21:23   still logged in
mark     pts/0        10.10.0.7   Tue Feb 18 22:34 - 00:05  (01:31)
lisa     :0           :0          Thu Feb 13 09:19   gone - no logout
reboot   system boot  4.15.0-74-g Fri Jan 24 08:03 - 08:03  (00:00)
...

Each line of output contains the following columns from left to right:

  • The user name. When the system reboots or shuts down, last shows the special users reboot and shutdown.
  • The tty on which the session took place. :0 usually means that the user was logging in to a desktop environment.
  • The IP address or the hostname from which the user logged in.
  • The session start and stop times.
  • The duration of the session. If the session is still active or the user did not log out, last will show information about that instead of the duration.

To restrict the output to a specific user or tty, pass the user name or tty as an argument to the last command:

Terminal
last mark
last pts/0

You can also specify multiple usernames and ttys as arguments:

Terminal
last mark root pts/0
Info
If you are looking for how to re-run the previous command in the shell, that is done with !! (repeat last command) or the Up arrow key — not the last utility. The last command is specifically for viewing login history.

last Command Options

last accepts several options that allow you to limit, format, and filter the output. In this section, we will cover the most common ones.

To specify the number of lines you would like to be printed, pass the number preceded by a single hyphen to last. For example, to print only the last ten login sessions you would type:

Terminal
last -10

With the -p (--present) option, you can find out who logged into the system on a specific date:

Terminal
last -p 2026-03-01

Use the -s (--since) and -t (--until) options to tell last to display the lines since or until the specified time. These two options are often used together to define a time interval for which you want the information to be retrieved. For example, to display the login records from March 1 to March 5, 2026, you would run:

Terminal
last -s 2026-03-01 -t 2026-03-05

The time passed to the -p, -s, and -t options can be specified in the following formats:

txt
YYYYMMDDhhmmss
YYYY-MM-DD hh:mm:ss
YYYY-MM-DD hh:mm     (seconds will be set to 00)
YYYY-MM-DD           (time will be set to 00:00:00)
hh:mm:ss             (date will be set to today)
hh:mm                (date will be set to today, seconds to 00)
now
yesterday            (time is set to 00:00:00)
today                (time is set to 00:00:00)
tomorrow             (time is set to 00:00:00)
+5min
-5days

By default, last does not show the seconds and the year. Use the -F (--fulltimes) option to view full login and logout times and dates:

Terminal
last -F

The -i (--ip) option forces last to always show the IP address, and the -d (--dns) option shows hostnames instead:

Terminal
last -i
last -d

lastb — Failed Login Attempts

lastb works the same way as last but reads the /var/log/btmp file, which records failed login attempts. This is useful for identifying brute-force attacks or unauthorized access attempts:

Terminal
sudo lastb
output
root     ssh:notty    10.10.0.45   Fri Feb 21 03:14 - 03:14  (00:00)
root     ssh:notty    10.10.0.45   Fri Feb 21 03:13 - 03:13  (00:00)

lastlog — Most Recent Login per User

lastlog displays the most recent login for every user on the system, including accounts that have never logged in:

Terminal
lastlog
output
Username         Port     From             Latest
root             pts/1    10.10.0.7        Fri Feb 21 21:00:15 +0100 2020
daemon                                     **Never logged in**
leah             pts/0    10.10.0.9        Thu Feb 20 14:22:01 +0100 2020

To check the last login of a specific user, use the -u flag:

Terminal
lastlog -u leah

Quick Reference

CommandDescription
lastShow all login sessions
last usernameShow sessions for a specific user
last -10Show the 10 most recent sessions
last -FShow full date and time for each session
last -p 2026-03-01Show who was logged in on a specific date
last -s 2026-03-01 -t 2026-03-05Show sessions in a date range
last -iShow IP addresses instead of hostnames
last -dShow hostnames instead of IP addresses
last rebootShow system reboot history
sudo lastbShow failed login attempts
lastlogShow most recent login per user
lastlog -u usernameShow most recent login for a specific user

Troubleshooting

/var/log/wtmp does not exist or is empty
The wtmp file may have been rotated or deleted. Login history before the rotation is no longer available. Future sessions will be recorded once the file is recreated automatically.

lastb shows no output
The /var/log/btmp file may not exist or may require root access. Run sudo lastb to read it with elevated privileges.

Output shows “gone - no logout”
The session ended without a clean logout record — for example, after a system crash or a forced disconnect. The session duration cannot be determined in this case.

last only shows recent sessions
wtmp is rotated periodically by logrotate. Older sessions are in compressed archive files such as /var/log/wtmp.1. You can read these with last -f /var/log/wtmp.1.

FAQ

What does last show in Linux?
last reads /var/log/wtmp and displays a list of all login and logout events, including the username, terminal, source IP or hostname, session start and end times, and duration.

How do I check login history for a specific user?
Run last username. For example, last leah shows all sessions for the user leah. To limit the output, add a number: last -10 leah shows the ten most recent sessions.

How do I see failed login attempts in Linux?
Use sudo lastb. It reads /var/log/btmp and lists all failed authentication attempts, including the username, source IP, and timestamp.

What is the difference between last, lastb, and lastlog?
last shows successful login history from /var/log/wtmp. lastb shows failed login attempts from /var/log/btmp. lastlog shows the single most recent login for every user account on the system.

How do I see when the system was last rebooted?
Run last reboot. The reboot pseudo-user is recorded in wtmp every time the system boots, so this shows the full reboot history.

Conclusion

The last command is a quick way to audit login activity on a Linux system. Use lastb to check for failed login attempts, and lastlog to see the most recent login for each user account. Together, these three commands give a complete picture of who has accessed the system and when.

Tags

linux commands

Linuxize Weekly Newsletter

A quick weekly roundup of new tutorials, news, and tips.

About the authors

Dejan Panovski

Dejan Panovski

Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.

View author page