Last Command in Linux

Posted 

3 min read

If you are managing a multiuser system, you’ll often need to know who, when, and from where logged into the machine.

last is a command-line utility that displays information about the last login sessions of the system users. It is very useful when you need to track user activity or investigate a possible security breach.

This article explains how to audit who logged into the system using the last command.

How to Use the last Command

The syntax for the last command is as follows:

last [OPTIONS] [USER] [<TTY>...]

Each time a user logs into the system, a record for that session is written to the /var/log/wtmp file. last reads the file wtmp file and prints information about the logins and logouts of the users. Records are printed in reverse time order, starting from the most recent ones.

When last is invoked without any option or argument, the output looks something like this:

mark     pts/0        10.10.0.7   Fri Feb 21 21:23   still logged in
mark     pts/0        10.10.0.7   Tue Feb 18 22:34 - 00:05  (01:31)
lisa     :0           :0          Thu Feb 13 09:19   gone - no logout
reboot   system boot  4.15.0-74-g Fri Jan 24 08:03 - 08:03  (00:00)
...

Each line of output contains the following columns from left to right:

  • The user name. When the system reboots or shuts down, last shows the special users reboot and shutdown.
  • The tty on which the session took place. :0 usually means that the user was logging in to a desktop environment.
  • The IP address or the hostname from which the user logged in.
  • The session start and stop times.
  • The duration of the session. If the session is still active or the user didn’t logout, last will show information about that instead of the duration.

To restrict the output to a specific user or tty, pass the user name or tty as an argument to the last command:

last marklast pts/0

You can also specify multiple usernames and ttys as arguments:

last mark root pts/0

last Command Options

last accepts several options that allow you to limit, format, and filter the output. In this section, we’ll cover the most common ones.

To specify the number of lines you’d like to be printed on the command line, pass the number preceded by a single hyphen to last. For example, to print only the last ten login sessions you would type:

last -10

With the -p (--present) option, you can find out who logged into the system on a specific date.

last -p 2020-01-15

Use the -s (--since) and -t (--until) option to tell last to display the lines since or until the specified time. These two options are often used together to define a time interval for which you want the information to be retrieved. For example to display the login records from Feb 13 to Feb 18, you would run:

last -s 2020-02-13 -u 2020-02-18

The time passed to the -p, -s and -t options can be specified in the following formats:

YYYYMMDDhhmmss
YYYY-MM-DD hh:mm:ss
YYYY-MM-DD hh:mm     (seconds will be set to 00)
YYYY-MM-DD           (time will be set to 00:00:00)
hh:mm:ss             (date will be set to today)
hh:mm                (date will be set to today, seconds to 00)
now
yesterday            (time is set to 00:00:00)
today                (time is set to 00:00:00)
tomorrow             (time is set to 00:00:00)
+5min
-5days

By default, last doesn’t show the seconds and the year. Use the -F, --fulltimes option to view full login and logout times and dates:

last -F

The -i (--ip) option forces last to always show IP address, and the -d (--dns) to show hostnames:

last -i

Conclusion

The last command prints information about the users' login and logout times. For more information about the command, type man last in your terminal.

If you have any questions, please leave a comment below.