Công Nghệ File

What file does the last command retrieve information from?

In this tutorial, we will see how to find last logged in users in Linux using 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5, 
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
6 and 
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
7 commands with examples.

Contents

Introduction

As a Linux system administrator, you should routinely check the login date and time of the users in your Linux server. It gives you some useful details such as how many users are active, how many users are inactive and when do they log in and for how long etc.

If some user accounts haven't been used for a long time, you can simply lock them if they are no longer needed. You can also use the last login dates when auditing your Linux servers and investigate which user could have caused the problem.

Fortunately, the GNU/Linux operating system includes the triplet commands namely 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5, 
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
6 and 
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
7 to display the recent users' login dates.

1. Display list of last logged in users in Linux with last command

As the name says, the 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5 command is used to view the last logged in users in Linux and Unix-like systems. It reads through the 
$ last ostechnix sk
2 file and finds all logged in as well as logged out users since that file was created. You can also list the recent login dates of a specific user and even find who rebooted the Linux system with the help of 
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5 command.

Please note that your system only logs information in the 

$ last ostechnix sk
4 file. If this file is not available for any reason, simply create it with 
$ last ostechnix sk
5 command like below:

$ sudo touch /var/log/wtmp

Now let us find out the recent login dates and times with 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5 command.

To show the last logins, their duration and other information in your Linux system, simply run:

$ last

Sample output:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
reboot   system boot  5.4.0-48-generic Fri Nov 20 10:13 - 11:44  [01:31]
.
.
.
reboot   system boot  5.4.0-33-generic Wed Jul  8 08:49 - 11:41  [02:52]
ostechni web console                   Mon Jul  6 08:19 - 08:20  [00:00]
ostechni pts/2        192.168.225.37   Mon Jul  6 08:14 - 08:30  [00:15]
ostechni pts/0        192.168.225.37   Mon Jul  6 07:41 - 12:27  [04:45]
reboot   system boot  5.4.0-33-generic Mon Jul  6 07:21 - 12:27  [05:06]
ostechni pts/3        192.168.225.37   Sat Jul  4 12:01 - 12:12  [00:10]
ostechni pts/2        192.168.225.37   Sat Jul  4 11:14 - 13:01  [01:46]
ostechni pts/0        192.168.225.37   Sat Jul  4 07:55 - 13:01  [05:05]
reboot   system boot  5.4.0-33-generic Sat Jul  4 07:53 - 13:03  [05:09]
ostechni tty1                          Fri May 29 10:07 - down   [00:00]
reboot   system boot  5.4.0-33-generic Fri May 29 10:06 - 10:07  [00:01]
ostechni pts/0        192.168.225.37   Fri May 29 09:36 - 10:06  [00:29]
ostechni tty1                          Fri May 29 09:36 - down   [00:29]
reboot   system boot  5.4.0-31-generic Fri May 29 09:35 - 10:06  [00:30]
ostechni tty1                          Sun May 24 13:17 - down   [00:02]
reboot   system boot  5.4.0-31-generic Sun May 24 13:16 - 13:20  [00:03]

wtmp begins Sun May 24 13:16:52 2020

List last logged in users in Linux with last command

As you see in the above output, the last command shows the following details of recent logins:

  • Name of the user. If any user is still logged in, it will display that details too.
  • Type of the terminal device [E.g. tty or pts] on which the session took place.
  • Source IP address or hostname from which the user logged in.
  • The login date and time stamp [i.e. the login session start and stop times].
  • The total duration of the session.
  • The last line indicates the date and time of the earliest recorded session in the 
    $ last ostechnix sk
    4 log file.

In the above output, you might have noticed that there is a login entry of a special user named 

$ last ostechnix sk
8. The 
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5 command keeps the records of this user each time the computer is booted up.

When we run 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5 command without any options, it will show the entire log output. It has many options to filter, format, and limit output as per your liking. I have included examples for most common options.

1.1. Limit output to specific user

As stated already, the 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5 command lists all recent logins recorded in the 
$ last ostechnix sk
4 file. If you want to display the recent logins of a specific user [i.e. view all logins by a specific user], for example ostechnix, the command would be:

$ last ostechnix

Sample output:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]

Display the recent logins of specific user with last command

You can also specify multiple usernames with comma-separated like below:

$ last ostechnix sk

1.2. Limit output to specific tty or pts

The 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5 command keeps the record of the type of the terminal device [E.g. tty or pts] on which the session took place.

Say for example, the users might have logged to the Linux machine either locally or via ssh. If you want to restrict the output to specific 

$ last tty1
4, simply run:

$ last tty1

Sample output:

ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni tty1                          Wed Jan  6 11:00 - down   [02:31]
ostechni tty1                          Fri Nov 20 11:52 - down   [00:38]
[...]

Names of ttys can be abbreviated. For instance, you can run 

$ last tty1
5 instead of 
$ last tty1
6.

Similarly, to list only 

$ last tty1
7 sessions' logins, run:

$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  [00:00]
[...]

You can also specify multiple usernames with ttys like below:

$ last ostechnix sk pts/0 tty1

1.3. Limit output to specific number of lines

The 

$ last ostechnix sk
4 log file could have large number of entries. If you want to restrict the output of 
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5 command to certain number of lines, use 
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni tty1                          Wed Jan  6 11:00 - down   [02:31]
ostechni tty1                          Fri Nov 20 11:52 - down   [00:38]
[...]
0 flag like below:

$ last
0

Or,

$ last
1

The above command will only display the 5 lines in the output:

$ last
2

1.4. Show hostname instead of IP address

By default, 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5 command shows the source IP from which the user logged it. If you want to display hostname instead of IP address, use 
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni tty1                          Wed Jan  6 11:00 - down   [02:31]
ostechni tty1                          Fri Nov 20 11:52 - down   [00:38]
[...]
2 [or 
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni tty1                          Wed Jan  6 11:00 - down   [02:31]
ostechni tty1                          Fri Nov 20 11:52 - down   [00:38]
[...]
3] option:

$ last
3

You can also display full user names and domain names in the output with 

ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni tty1                          Wed Jan  6 11:00 - down   [02:31]
ostechni tty1                          Fri Nov 20 11:52 - down   [00:38]
[...]
4 [or 
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni tty1                          Wed Jan  6 11:00 - down   [02:31]
ostechni tty1                          Fri Nov 20 11:52 - down   [00:38]
[...]
5] option.

1.5. Hide hostname and IP address

To suppress the hostname or IP field, use 

ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni tty1                          Wed Jan  6 11:00 - down   [02:31]
ostechni tty1                          Fri Nov 20 11:52 - down   [00:38]
[...]
6 option.

$ last
4

Sample output:

$ last
5

1.6. Show user login records on a specific time

The 

ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni tty1                          Wed Jan  6 11:00 - down   [02:31]
ostechni tty1                          Fri Nov 20 11:52 - down   [00:38]
[...]
7 [or 
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni tty1                          Wed Jan  6 11:00 - down   [02:31]
ostechni tty1                          Fri Nov 20 11:52 - down   [00:38]
[...]
8] option is used to find who was logged in at present or at a specified time.

For example, run the following command to list last logged in users at a 8:30 today:

$ last
6

Sample output:

$ last
7

To list who is logged at present [i.e. at the time of running this command, run:

$ last
8

Find logged in users at specific time

1.7. Display logged in users within specific time interval

The 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5 command has two options namely 
$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  [00:00]
[...]
0 [
$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  [00:00]
[...]
1] and 
$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  [00:00]
[...]
2 [
$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  [00:00]
[...]
3] to display logged in users within a specific period of time. The 
$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  [00:00]
[...]
0 option is used to display the state of logins since the specified time and the 
$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  [00:00]
[...]
2 option is used to display the state of logins until the specified time.

For example, if you want to display the last logins that took place from 

$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  [00:00]
[...]
6 to 
$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  [00:00]
[...]
7, the command is:

$ last
9

Sample output:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
reboot   system boot  5.4.0-48-generic Fri Nov 20 10:13 - 11:44  [01:31]
.
.
.
reboot   system boot  5.4.0-33-generic Wed Jul  8 08:49 - 11:41  [02:52]
ostechni web console                   Mon Jul  6 08:19 - 08:20  [00:00]
ostechni pts/2        192.168.225.37   Mon Jul  6 08:14 - 08:30  [00:15]
ostechni pts/0        192.168.225.37   Mon Jul  6 07:41 - 12:27  [04:45]
reboot   system boot  5.4.0-33-generic Mon Jul  6 07:21 - 12:27  [05:06]
ostechni pts/3        192.168.225.37   Sat Jul  4 12:01 - 12:12  [00:10]
ostechni pts/2        192.168.225.37   Sat Jul  4 11:14 - 13:01  [01:46]
ostechni pts/0        192.168.225.37   Sat Jul  4 07:55 - 13:01  [05:05]
reboot   system boot  5.4.0-33-generic Sat Jul  4 07:53 - 13:03  [05:09]
ostechni tty1                          Fri May 29 10:07 - down   [00:00]
reboot   system boot  5.4.0-33-generic Fri May 29 10:06 - 10:07  [00:01]
ostechni pts/0        192.168.225.37   Fri May 29 09:36 - 10:06  [00:29]
ostechni tty1                          Fri May 29 09:36 - down   [00:29]
reboot   system boot  5.4.0-31-generic Fri May 29 09:35 - 10:06  [00:30]
ostechni tty1                          Sun May 24 13:17 - down   [00:02]
reboot   system boot  5.4.0-31-generic Sun May 24 13:16 - 13:20  [00:03]

wtmp begins Sun May 24 13:16:52 2020
0

To view recent logins from yesterday to today, run:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
reboot   system boot  5.4.0-48-generic Fri Nov 20 10:13 - 11:44  [01:31]
.
.
.
reboot   system boot  5.4.0-33-generic Wed Jul  8 08:49 - 11:41  [02:52]
ostechni web console                   Mon Jul  6 08:19 - 08:20  [00:00]
ostechni pts/2        192.168.225.37   Mon Jul  6 08:14 - 08:30  [00:15]
ostechni pts/0        192.168.225.37   Mon Jul  6 07:41 - 12:27  [04:45]
reboot   system boot  5.4.0-33-generic Mon Jul  6 07:21 - 12:27  [05:06]
ostechni pts/3        192.168.225.37   Sat Jul  4 12:01 - 12:12  [00:10]
ostechni pts/2        192.168.225.37   Sat Jul  4 11:14 - 13:01  [01:46]
ostechni pts/0        192.168.225.37   Sat Jul  4 07:55 - 13:01  [05:05]
reboot   system boot  5.4.0-33-generic Sat Jul  4 07:53 - 13:03  [05:09]
ostechni tty1                          Fri May 29 10:07 - down   [00:00]
reboot   system boot  5.4.0-33-generic Fri May 29 10:06 - 10:07  [00:01]
ostechni pts/0        192.168.225.37   Fri May 29 09:36 - 10:06  [00:29]
ostechni tty1                          Fri May 29 09:36 - down   [00:29]
reboot   system boot  5.4.0-31-generic Fri May 29 09:35 - 10:06  [00:30]
ostechni tty1                          Sun May 24 13:17 - down   [00:02]
reboot   system boot  5.4.0-31-generic Sun May 24 13:16 - 13:20  [00:03]

wtmp begins Sun May 24 13:16:52 2020
1

If you want to only list login records since January 07, 2021 to till date, run:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
reboot   system boot  5.4.0-48-generic Fri Nov 20 10:13 - 11:44  [01:31]
.
.
.
reboot   system boot  5.4.0-33-generic Wed Jul  8 08:49 - 11:41  [02:52]
ostechni web console                   Mon Jul  6 08:19 - 08:20  [00:00]
ostechni pts/2        192.168.225.37   Mon Jul  6 08:14 - 08:30  [00:15]
ostechni pts/0        192.168.225.37   Mon Jul  6 07:41 - 12:27  [04:45]
reboot   system boot  5.4.0-33-generic Mon Jul  6 07:21 - 12:27  [05:06]
ostechni pts/3        192.168.225.37   Sat Jul  4 12:01 - 12:12  [00:10]
ostechni pts/2        192.168.225.37   Sat Jul  4 11:14 - 13:01  [01:46]
ostechni pts/0        192.168.225.37   Sat Jul  4 07:55 - 13:01  [05:05]
reboot   system boot  5.4.0-33-generic Sat Jul  4 07:53 - 13:03  [05:09]
ostechni tty1                          Fri May 29 10:07 - down   [00:00]
reboot   system boot  5.4.0-33-generic Fri May 29 10:06 - 10:07  [00:01]
ostechni pts/0        192.168.225.37   Fri May 29 09:36 - 10:06  [00:29]
ostechni tty1                          Fri May 29 09:36 - down   [00:29]
reboot   system boot  5.4.0-31-generic Fri May 29 09:35 - 10:06  [00:30]
ostechni tty1                          Sun May 24 13:17 - down   [00:02]
reboot   system boot  5.4.0-31-generic Sun May 24 13:16 - 13:20  [00:03]

wtmp begins Sun May 24 13:16:52 2020
2

1.8. Display last logged in users with full date and time

The 

$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  [00:00]
[...]
8 [
$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  [00:00]
[...]
9] option is used to display the full login and logout date and time in 
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5 command's output.

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
reboot   system boot  5.4.0-48-generic Fri Nov 20 10:13 - 11:44  [01:31]
.
.
.
reboot   system boot  5.4.0-33-generic Wed Jul  8 08:49 - 11:41  [02:52]
ostechni web console                   Mon Jul  6 08:19 - 08:20  [00:00]
ostechni pts/2        192.168.225.37   Mon Jul  6 08:14 - 08:30  [00:15]
ostechni pts/0        192.168.225.37   Mon Jul  6 07:41 - 12:27  [04:45]
reboot   system boot  5.4.0-33-generic Mon Jul  6 07:21 - 12:27  [05:06]
ostechni pts/3        192.168.225.37   Sat Jul  4 12:01 - 12:12  [00:10]
ostechni pts/2        192.168.225.37   Sat Jul  4 11:14 - 13:01  [01:46]
ostechni pts/0        192.168.225.37   Sat Jul  4 07:55 - 13:01  [05:05]
reboot   system boot  5.4.0-33-generic Sat Jul  4 07:53 - 13:03  [05:09]
ostechni tty1                          Fri May 29 10:07 - down   [00:00]
reboot   system boot  5.4.0-33-generic Fri May 29 10:06 - 10:07  [00:01]
ostechni pts/0        192.168.225.37   Fri May 29 09:36 - 10:06  [00:29]
ostechni tty1                          Fri May 29 09:36 - down   [00:29]
reboot   system boot  5.4.0-31-generic Fri May 29 09:35 - 10:06  [00:30]
ostechni tty1                          Sun May 24 13:17 - down   [00:02]
reboot   system boot  5.4.0-31-generic Sun May 24 13:16 - 13:20  [00:03]

wtmp begins Sun May 24 13:16:52 2020
3

Sample output:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
reboot   system boot  5.4.0-48-generic Fri Nov 20 10:13 - 11:44  [01:31]
.
.
.
reboot   system boot  5.4.0-33-generic Wed Jul  8 08:49 - 11:41  [02:52]
ostechni web console                   Mon Jul  6 08:19 - 08:20  [00:00]
ostechni pts/2        192.168.225.37   Mon Jul  6 08:14 - 08:30  [00:15]
ostechni pts/0        192.168.225.37   Mon Jul  6 07:41 - 12:27  [04:45]
reboot   system boot  5.4.0-33-generic Mon Jul  6 07:21 - 12:27  [05:06]
ostechni pts/3        192.168.225.37   Sat Jul  4 12:01 - 12:12  [00:10]
ostechni pts/2        192.168.225.37   Sat Jul  4 11:14 - 13:01  [01:46]
ostechni pts/0        192.168.225.37   Sat Jul  4 07:55 - 13:01  [05:05]
reboot   system boot  5.4.0-33-generic Sat Jul  4 07:53 - 13:03  [05:09]
ostechni tty1                          Fri May 29 10:07 - down   [00:00]
reboot   system boot  5.4.0-33-generic Fri May 29 10:06 - 10:07  [00:01]
ostechni pts/0        192.168.225.37   Fri May 29 09:36 - 10:06  [00:29]
ostechni tty1                          Fri May 29 09:36 - down   [00:29]
reboot   system boot  5.4.0-31-generic Fri May 29 09:35 - 10:06  [00:30]
ostechni tty1                          Sun May 24 13:17 - down   [00:02]
reboot   system boot  5.4.0-31-generic Sun May 24 13:16 - 13:20  [00:03]

wtmp begins Sun May 24 13:16:52 2020
4

1.9. Display hostname in the last column

The 

$ last ostechnix sk pts/0 tty1
1 [
$ last ostechnix sk pts/0 tty1
2] option is used to display the hostname column last to prevent truncation.

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
reboot   system boot  5.4.0-48-generic Fri Nov 20 10:13 - 11:44  [01:31]
.
.
.
reboot   system boot  5.4.0-33-generic Wed Jul  8 08:49 - 11:41  [02:52]
ostechni web console                   Mon Jul  6 08:19 - 08:20  [00:00]
ostechni pts/2        192.168.225.37   Mon Jul  6 08:14 - 08:30  [00:15]
ostechni pts/0        192.168.225.37   Mon Jul  6 07:41 - 12:27  [04:45]
reboot   system boot  5.4.0-33-generic Mon Jul  6 07:21 - 12:27  [05:06]
ostechni pts/3        192.168.225.37   Sat Jul  4 12:01 - 12:12  [00:10]
ostechni pts/2        192.168.225.37   Sat Jul  4 11:14 - 13:01  [01:46]
ostechni pts/0        192.168.225.37   Sat Jul  4 07:55 - 13:01  [05:05]
reboot   system boot  5.4.0-33-generic Sat Jul  4 07:53 - 13:03  [05:09]
ostechni tty1                          Fri May 29 10:07 - down   [00:00]
reboot   system boot  5.4.0-33-generic Fri May 29 10:06 - 10:07  [00:01]
ostechni pts/0        192.168.225.37   Fri May 29 09:36 - 10:06  [00:29]
ostechni tty1                          Fri May 29 09:36 - down   [00:29]
reboot   system boot  5.4.0-31-generic Fri May 29 09:35 - 10:06  [00:30]
ostechni tty1                          Sun May 24 13:17 - down   [00:02]
reboot   system boot  5.4.0-31-generic Sun May 24 13:16 - 13:20  [00:03]

wtmp begins Sun May 24 13:16:52 2020
5

1.10. View last login records of pseudo user "reboot"

As I mentioned earlier, the last command keeps the record of a special pseudo users named "reboot" and "shutdown".

To view last login details of "reboot" and "shutdown" users, use the following commands:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
reboot   system boot  5.4.0-48-generic Fri Nov 20 10:13 - 11:44  [01:31]
.
.
.
reboot   system boot  5.4.0-33-generic Wed Jul  8 08:49 - 11:41  [02:52]
ostechni web console                   Mon Jul  6 08:19 - 08:20  [00:00]
ostechni pts/2        192.168.225.37   Mon Jul  6 08:14 - 08:30  [00:15]
ostechni pts/0        192.168.225.37   Mon Jul  6 07:41 - 12:27  [04:45]
reboot   system boot  5.4.0-33-generic Mon Jul  6 07:21 - 12:27  [05:06]
ostechni pts/3        192.168.225.37   Sat Jul  4 12:01 - 12:12  [00:10]
ostechni pts/2        192.168.225.37   Sat Jul  4 11:14 - 13:01  [01:46]
ostechni pts/0        192.168.225.37   Sat Jul  4 07:55 - 13:01  [05:05]
reboot   system boot  5.4.0-33-generic Sat Jul  4 07:53 - 13:03  [05:09]
ostechni tty1                          Fri May 29 10:07 - down   [00:00]
reboot   system boot  5.4.0-33-generic Fri May 29 10:06 - 10:07  [00:01]
ostechni pts/0        192.168.225.37   Fri May 29 09:36 - 10:06  [00:29]
ostechni tty1                          Fri May 29 09:36 - down   [00:29]
reboot   system boot  5.4.0-31-generic Fri May 29 09:35 - 10:06  [00:30]
ostechni tty1                          Sun May 24 13:17 - down   [00:02]
reboot   system boot  5.4.0-31-generic Sun May 24 13:16 - 13:20  [00:03]

wtmp begins Sun May 24 13:16:52 2020
6
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
reboot   system boot  5.4.0-48-generic Fri Nov 20 10:13 - 11:44  [01:31]
.
.
.
reboot   system boot  5.4.0-33-generic Wed Jul  8 08:49 - 11:41  [02:52]
ostechni web console                   Mon Jul  6 08:19 - 08:20  [00:00]
ostechni pts/2        192.168.225.37   Mon Jul  6 08:14 - 08:30  [00:15]
ostechni pts/0        192.168.225.37   Mon Jul  6 07:41 - 12:27  [04:45]
reboot   system boot  5.4.0-33-generic Mon Jul  6 07:21 - 12:27  [05:06]
ostechni pts/3        192.168.225.37   Sat Jul  4 12:01 - 12:12  [00:10]
ostechni pts/2        192.168.225.37   Sat Jul  4 11:14 - 13:01  [01:46]
ostechni pts/0        192.168.225.37   Sat Jul  4 07:55 - 13:01  [05:05]
reboot   system boot  5.4.0-33-generic Sat Jul  4 07:53 - 13:03  [05:09]
ostechni tty1                          Fri May 29 10:07 - down   [00:00]
reboot   system boot  5.4.0-33-generic Fri May 29 10:06 - 10:07  [00:01]
ostechni pts/0        192.168.225.37   Fri May 29 09:36 - 10:06  [00:29]
ostechni tty1                          Fri May 29 09:36 - down   [00:29]
reboot   system boot  5.4.0-31-generic Fri May 29 09:35 - 10:06  [00:30]
ostechni tty1                          Sun May 24 13:17 - down   [00:02]
reboot   system boot  5.4.0-31-generic Sun May 24 13:16 - 13:20  [00:03]

wtmp begins Sun May 24 13:16:52 2020
7

2. Display failed login attempts using lastb in Linux

The 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
6 is same as 
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5 command, but it only lists all the bad login attempts. It gets the failed login details from the 
$ last ostechnix sk pts/0 tty1
5 file.

Please note that your system only logs information in the 

$ last ostechnix sk pts/0 tty1
6 file if it is present. If this file is not available for any reason, simply create it with 
$ last ostechnix sk
5 command like below:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
reboot   system boot  5.4.0-48-generic Fri Nov 20 10:13 - 11:44  [01:31]
.
.
.
reboot   system boot  5.4.0-33-generic Wed Jul  8 08:49 - 11:41  [02:52]
ostechni web console                   Mon Jul  6 08:19 - 08:20  [00:00]
ostechni pts/2        192.168.225.37   Mon Jul  6 08:14 - 08:30  [00:15]
ostechni pts/0        192.168.225.37   Mon Jul  6 07:41 - 12:27  [04:45]
reboot   system boot  5.4.0-33-generic Mon Jul  6 07:21 - 12:27  [05:06]
ostechni pts/3        192.168.225.37   Sat Jul  4 12:01 - 12:12  [00:10]
ostechni pts/2        192.168.225.37   Sat Jul  4 11:14 - 13:01  [01:46]
ostechni pts/0        192.168.225.37   Sat Jul  4 07:55 - 13:01  [05:05]
reboot   system boot  5.4.0-33-generic Sat Jul  4 07:53 - 13:03  [05:09]
ostechni tty1                          Fri May 29 10:07 - down   [00:00]
reboot   system boot  5.4.0-33-generic Fri May 29 10:06 - 10:07  [00:01]
ostechni pts/0        192.168.225.37   Fri May 29 09:36 - 10:06  [00:29]
ostechni tty1                          Fri May 29 09:36 - down   [00:29]
reboot   system boot  5.4.0-31-generic Fri May 29 09:35 - 10:06  [00:30]
ostechni tty1                          Sun May 24 13:17 - down   [00:02]
reboot   system boot  5.4.0-31-generic Sun May 24 13:16 - 13:20  [00:03]

wtmp begins Sun May 24 13:16:52 2020
8

Now we can display the failed login attempts using lastb command like below:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
reboot   system boot  5.4.0-48-generic Fri Nov 20 10:13 - 11:44  [01:31]
.
.
.
reboot   system boot  5.4.0-33-generic Wed Jul  8 08:49 - 11:41  [02:52]
ostechni web console                   Mon Jul  6 08:19 - 08:20  [00:00]
ostechni pts/2        192.168.225.37   Mon Jul  6 08:14 - 08:30  [00:15]
ostechni pts/0        192.168.225.37   Mon Jul  6 07:41 - 12:27  [04:45]
reboot   system boot  5.4.0-33-generic Mon Jul  6 07:21 - 12:27  [05:06]
ostechni pts/3        192.168.225.37   Sat Jul  4 12:01 - 12:12  [00:10]
ostechni pts/2        192.168.225.37   Sat Jul  4 11:14 - 13:01  [01:46]
ostechni pts/0        192.168.225.37   Sat Jul  4 07:55 - 13:01  [05:05]
reboot   system boot  5.4.0-33-generic Sat Jul  4 07:53 - 13:03  [05:09]
ostechni tty1                          Fri May 29 10:07 - down   [00:00]
reboot   system boot  5.4.0-33-generic Fri May 29 10:06 - 10:07  [00:01]
ostechni pts/0        192.168.225.37   Fri May 29 09:36 - 10:06  [00:29]
ostechni tty1                          Fri May 29 09:36 - down   [00:29]
reboot   system boot  5.4.0-31-generic Fri May 29 09:35 - 10:06  [00:30]
ostechni tty1                          Sun May 24 13:17 - down   [00:02]
reboot   system boot  5.4.0-31-generic Sun May 24 13:16 - 13:20  [00:03]

wtmp begins Sun May 24 13:16:52 2020
9

Sample output:

$ last ostechnix
0

Display failed login attempts using lastb command in Linux

The above commands lists all unsuccessful login attempts by all users in the Linux system. It also shows failed login attempts that took place via SSH.

3. Find last logged in users in Linux with lastlog command

The lastlog command shows the most recent login of all users or of a specific user in Linux and Unix-like operating systems. It retrieves the list of last logged in users from 

$ last ostechnix sk pts/0 tty1
8 file and displays the result in standard output.

To display the most recent login of all users, run:

$ last ostechnix
1

Sample output:

$ last ostechnix
2

Find last logged in users in Linux with lastlog command

As you see in the above output, 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
7 command displays the last login records of system user accounts as well as other service accounts such as 
$ last
00, 
$ last
01, 
$ last
02, 
$ last
03, 
$ last
04 etc.

The 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
7 command prints the login-name, port, source IP address from which the user logged in and the last login date and time. If an user has never logged in, it will print the message 
$ last
06 instead of the port and time in the output.

You might be wondering why there are many service accounts have never logged in. This is because the login shells for these accounts are set to either 

$ last
07. It is common security practice used to limit direct access to the shell.

3.1. Display last logged in details of a specific user

If you want to display lastlog record of a specified user, for example ostechnix, the command would be:

$ last ostechnix
3

Sample output:

$ last ostechnix
4

3.2. Display last logged in records before or recent than X days

The 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
7 command can able to display recent login records before than or recent than X days.

For instance, you can get recent login records of all users before than 5 days using 

$ last
09 flag like below:

$ last ostechnix
5

Similarly, to display login records more recent than 5 days, use 

$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  [00:00]
[...]
2 flag:

$ last ostechnix
6

3.3. Remove or clear the last login information using lastlog in Linux

If you don't want the lastlog record of an user, just clear them using 

$ last
11 [
$ last
12] flag:

$ last ostechnix
7

To verify if the log record is cleared, run:

$ last ostechnix
8

Getting help

For more details, refer the help section of the respective command.

$ last ostechnix
9
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
1

Or go through the man pages of each command:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
2
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
3
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
4

Conclusion

The 

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
5, 
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
6 and 
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  [02:28]
[...]
7 commands comes in rescue to detect suspicious user activities in a Linux system. Finding who is recently logged in [or logged out from] the Linux server, when did they log in and for how long are the important details that will definitely help you at troubleshooting times.

Related read:

  • How To Find Currently Logged In Users In Linux
  • How To List All Users In Linux
  • How To Monitor User Activity In Linux
  • How To Limit User’s Access To The Linux System

Find last logged in userslastlastblastlogLinuxLinux administrationLinux basicsLinux commandsLinux tipsLinux user management

What does the last command show?

Description. The last command displays, in reverse chronological order, all previous logins and logoffs still recorded in the /var/adm/wtmp file.

How to read last command in Linux?

The syntax for the last command is as follows: last [OPTIONS] [USER] [...] Each time a user logs into the system, a record for that session is written to the /var/log/wtmp file. last reads the file wtmp file and prints information about the logins and logouts of the users.

Which command will display the last command you entered?

Press CTRL+P to switch to the last command, and then press CTRL+O to execute it.

Which command is used to execute the last command you have executed?

The ways to run the last executed command are as follows: Ctrl + P.

Bài Viết Liên Quan

Cách xóa trang tạo trên facebook
Land Cruiser máy dầu đời 2005
Đo tốc độ di chuyển bằng Google Map
How do you reset a Dell laptop for school?
Tên facebook hay cho nữ dễ thương
Tên facebook ngắn mà độc
Cách chỉnh máy hàn Mig 500
Giá xe Kia Sorento cũ máy dầu
Bật tìm kiếm bằng số điện thoại trên facebook
Công thức pha trà chanh truyền thống
MacBook Air M1 có vân tay không
Thanh lý nội thất facebook
Thay màn hình Surface Pro 4 Hà Nội
How much can I sell my 2013 MacBook for?
How can I access my files away from home?
Cách kết nối iPhone với tivi thường
What is the importance of charts and graphics in providing information from Nios?
Bơm xe máy loại nào tốt
Ảnh bìa facebook cung thiên yết
My Photo Stream not showing on iPhone iOS 15

Toplist mới

#1
Top 5 đáp án sách giáo dục địa phương lớp 6 2023
7 tháng trước
#2
Top 9 ý nghĩa nhan đề của bài thơ quê hương 2023
7 tháng trước
#3
Top 6 thủy thủ mặt trăng pha lê tập 27 thuyết minh 2023
7 tháng trước
#4
Top 8 trong một nhóm a, theo chiều tăng của điện tích hạt nhân thì 2023
7 tháng trước
#5
Top 8 de thi học kì 2 lớp 12 môn toán có đáp an trắc nghiệm file word 2022 2023
7 tháng trước
#6
Top 7 chuyện tình nàng trinh nữ tên thi ý nghĩa 2023
7 tháng trước
#7
Top 3 lương y dương thị minh chữa bệnh tiểu đường 2023
7 tháng trước
#8
Top 2 nồi chiên không dầu 2good s20 điện máy xanh 2023
7 tháng trước
#9
Top 9 trẻ sơ sinh bị đỏ mắt chảy ghèn 2023
7 tháng trước

Bài mới nhất

Chi phí tài trợ có phải xuất hóa đơn năm 2024
Chọn hóa chất xử lý dụng cụ cần phải năm 2024
Giải bài 1 tứ giác toán 8 tập 1 sbt năm 2024
Kế toán mỹ và kế toán việt nam năm 2024
Trắc nghiệm toán 9 học kì 1 violet năm 2024
Khắc phục lỗi trên vtv cab cho tv năm 2024
Mua văn phòng phầm xuất hóa đơn vào cuối tháng năm 2024
Kiểm tra 1 tiết hóa 11 chương 7 8 violet năm 2024
Giá cho 1 sản phẩm dựa vào tiêu chí nào năm 2024
Luật chất lượng sản phẩm và hàng hóa thuvienphapluat năm 2024

Chủ Đề

Hỏi Đáp Toplist Là gì Địa Điểm Hay Mẹo Hay mẹo hay programming Học Tốt Nghĩa của từ Công Nghệ Khỏe Đẹp đánh giá Bao nhiêu Top List bao nhieu bao nhiêu hướng dẫn Bài tập So Sánh So sánh Tiếng anh Xây Đựng Bài Tập Ngôn ngữ Sản phẩm tốt Ở đâu Thế nào Dịch Hướng dẫn Đại học Tại sao Máy tính Khoa Học Món Ngon Vì sao Bao lâu Hà Nội