In this tutorial, we will see how to find last logged in users in Linux using
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5,
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]6 and
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]7 commands with examples.
Contents
Introduction
As a Linux system administrator, you should routinely check the login date and time of the users in your Linux server. It gives you some useful details such as how many users are active, how many users are inactive and when do they log in and for how long etc.
If some user accounts haven't been used for a long time, you can simply lock them if they are no longer needed. You can also use the last login dates when auditing your Linux servers and investigate which user could have caused the problem.
Fortunately, the GNU/Linux operating system includes the triplet commands namely
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5,
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]6 and
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]7 to display the recent users' login dates.
1. Display list of last logged in users in Linux with last command
As the name says, the
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5 command is used to view the last logged in users in Linux and Unix-like systems. It reads through the
$ last ostechnix sk2 file and finds all logged in as well as logged out users since that file was created. You can also list the recent login dates of a specific user and even find who rebooted the Linux system with the help of
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5 command.
Please note that your system only logs information in the
$ last ostechnix sk4 file. If this file is not available for any reason, simply create it with
$ last ostechnix sk5 command like below:
$ sudo touch /var/log/wtmp
Now let us find out the recent login dates and times with
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5 command.
To show the last logins, their duration and other information in your Linux system, simply run:
$ last
Sample output:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running reboot system boot 5.4.0-48-generic Fri Nov 20 10:13 - 11:44 [01:31] . . . reboot system boot 5.4.0-33-generic Wed Jul 8 08:49 - 11:41 [02:52] ostechni web console Mon Jul 6 08:19 - 08:20 [00:00] ostechni pts/2 192.168.225.37 Mon Jul 6 08:14 - 08:30 [00:15] ostechni pts/0 192.168.225.37 Mon Jul 6 07:41 - 12:27 [04:45] reboot system boot 5.4.0-33-generic Mon Jul 6 07:21 - 12:27 [05:06] ostechni pts/3 192.168.225.37 Sat Jul 4 12:01 - 12:12 [00:10] ostechni pts/2 192.168.225.37 Sat Jul 4 11:14 - 13:01 [01:46] ostechni pts/0 192.168.225.37 Sat Jul 4 07:55 - 13:01 [05:05] reboot system boot 5.4.0-33-generic Sat Jul 4 07:53 - 13:03 [05:09] ostechni tty1 Fri May 29 10:07 - down [00:00] reboot system boot 5.4.0-33-generic Fri May 29 10:06 - 10:07 [00:01] ostechni pts/0 192.168.225.37 Fri May 29 09:36 - 10:06 [00:29] ostechni tty1 Fri May 29 09:36 - down [00:29] reboot system boot 5.4.0-31-generic Fri May 29 09:35 - 10:06 [00:30] ostechni tty1 Sun May 24 13:17 - down [00:02] reboot system boot 5.4.0-31-generic Sun May 24 13:16 - 13:20 [00:03] wtmp begins Sun May 24 13:16:52 2020
As you see in the above output, the last command shows the following details of recent logins:
- Name of the user. If any user is still logged in, it will display that details too.
- Type of the terminal device [E.g. tty or pts] on which the session took place.
- Source IP address or hostname from which the user logged in.
- The login date and time stamp [i.e. the login session start and stop times].
- The total duration of the session.
- The last line indicates the date and time of the earliest recorded session in the
$ last ostechnix sk
4 log file.
In the above output, you might have noticed that there is a login entry of a special user named
$ last ostechnix sk8. The
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5 command keeps the records of this user each time the computer is booted up.
When we run
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5 command without any options, it will show the entire log output. It has many options to filter, format, and limit output as per your liking. I have included examples for most common options.
1.1. Limit output to specific user
As stated already, the
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5 command lists all recent logins recorded in the
$ last ostechnix sk4 file. If you want to display the recent logins of a specific user [i.e. view all logins by a specific user], for example ostechnix, the command would be:
$ last ostechnix
Sample output:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]
You can also specify multiple usernames with comma-separated like below:
$ last ostechnix sk
1.2. Limit output to specific tty or pts
The
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5 command keeps the record of the type of the terminal device [E.g. tty or pts] on which the session took place.
Say for example, the users might have logged to the Linux machine either locally or via ssh. If you want to restrict the output to specific
$ last tty14, simply run:
$ last tty1
Sample output:
ostechni tty1 Thu Jan 7 08:29 still logged in ostechni tty1 Wed Jan 6 11:00 - down [02:31] ostechni tty1 Fri Nov 20 11:52 - down [00:38] [...]
Names of ttys can be abbreviated. For instance, you can run
$ last tty15 instead of
$ last tty16.
Similarly, to list only
$ last tty17 sessions' logins, run:
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 [00:00] [...]
You can also specify multiple usernames with ttys like below:
$ last ostechnix sk pts/0 tty1
1.3. Limit output to specific number of lines
The
$ last ostechnix sk4 log file could have large number of entries. If you want to restrict the output of
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5 command to certain number of lines, use
ostechni tty1 Thu Jan 7 08:29 still logged in ostechni tty1 Wed Jan 6 11:00 - down [02:31] ostechni tty1 Fri Nov 20 11:52 - down [00:38] [...]0 flag like below:
$ last0
Or,
$ last1
The above command will only display the 5 lines in the output:
$ last2
1.4. Show hostname instead of IP address
By default,
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5 command shows the source IP from which the user logged it. If you want to display hostname instead of IP address, use
ostechni tty1 Thu Jan 7 08:29 still logged in ostechni tty1 Wed Jan 6 11:00 - down [02:31] ostechni tty1 Fri Nov 20 11:52 - down [00:38] [...]2 [or
ostechni tty1 Thu Jan 7 08:29 still logged in ostechni tty1 Wed Jan 6 11:00 - down [02:31] ostechni tty1 Fri Nov 20 11:52 - down [00:38] [...]3] option:
$ last3
You can also display full user names and domain names in the output with
ostechni tty1 Thu Jan 7 08:29 still logged in ostechni tty1 Wed Jan 6 11:00 - down [02:31] ostechni tty1 Fri Nov 20 11:52 - down [00:38] [...]4 [or
ostechni tty1 Thu Jan 7 08:29 still logged in ostechni tty1 Wed Jan 6 11:00 - down [02:31] ostechni tty1 Fri Nov 20 11:52 - down [00:38] [...]5] option.
1.5. Hide hostname and IP address
To suppress the hostname or IP field, use
ostechni tty1 Thu Jan 7 08:29 still logged in ostechni tty1 Wed Jan 6 11:00 - down [02:31] ostechni tty1 Fri Nov 20 11:52 - down [00:38] [...]6 option.
$ last4
Sample output:
$ last5
1.6. Show user login records on a specific time
The
ostechni tty1 Thu Jan 7 08:29 still logged in ostechni tty1 Wed Jan 6 11:00 - down [02:31] ostechni tty1 Fri Nov 20 11:52 - down [00:38] [...]7 [or
ostechni tty1 Thu Jan 7 08:29 still logged in ostechni tty1 Wed Jan 6 11:00 - down [02:31] ostechni tty1 Fri Nov 20 11:52 - down [00:38] [...]8] option is used to find who was logged in at present or at a specified time.
For example, run the following command to list last logged in users at a 8:30 today:
$ last6
Sample output:
$ last7
To list who is logged at present [i.e. at the time of running this command, run:
$ last8
1.7. Display logged in users within specific time interval
The
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5 command has two options namely
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 [00:00] [...]0 [
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 [00:00] [...]1] and
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 [00:00] [...]2 [
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 [00:00] [...]3] to display logged in users within a specific period of time. The
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 [00:00] [...]0 option is used to display the state of logins since the specified time and the
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 [00:00] [...]2 option is used to display the state of logins until the specified time.
For example, if you want to display the last logins that took place from
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 [00:00] [...]6 to
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 [00:00] [...]7, the command is:
$ last9
Sample output:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running reboot system boot 5.4.0-48-generic Fri Nov 20 10:13 - 11:44 [01:31] . . . reboot system boot 5.4.0-33-generic Wed Jul 8 08:49 - 11:41 [02:52] ostechni web console Mon Jul 6 08:19 - 08:20 [00:00] ostechni pts/2 192.168.225.37 Mon Jul 6 08:14 - 08:30 [00:15] ostechni pts/0 192.168.225.37 Mon Jul 6 07:41 - 12:27 [04:45] reboot system boot 5.4.0-33-generic Mon Jul 6 07:21 - 12:27 [05:06] ostechni pts/3 192.168.225.37 Sat Jul 4 12:01 - 12:12 [00:10] ostechni pts/2 192.168.225.37 Sat Jul 4 11:14 - 13:01 [01:46] ostechni pts/0 192.168.225.37 Sat Jul 4 07:55 - 13:01 [05:05] reboot system boot 5.4.0-33-generic Sat Jul 4 07:53 - 13:03 [05:09] ostechni tty1 Fri May 29 10:07 - down [00:00] reboot system boot 5.4.0-33-generic Fri May 29 10:06 - 10:07 [00:01] ostechni pts/0 192.168.225.37 Fri May 29 09:36 - 10:06 [00:29] ostechni tty1 Fri May 29 09:36 - down [00:29] reboot system boot 5.4.0-31-generic Fri May 29 09:35 - 10:06 [00:30] ostechni tty1 Sun May 24 13:17 - down [00:02] reboot system boot 5.4.0-31-generic Sun May 24 13:16 - 13:20 [00:03] wtmp begins Sun May 24 13:16:52 20200
To view recent logins from yesterday to today, run:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running reboot system boot 5.4.0-48-generic Fri Nov 20 10:13 - 11:44 [01:31] . . . reboot system boot 5.4.0-33-generic Wed Jul 8 08:49 - 11:41 [02:52] ostechni web console Mon Jul 6 08:19 - 08:20 [00:00] ostechni pts/2 192.168.225.37 Mon Jul 6 08:14 - 08:30 [00:15] ostechni pts/0 192.168.225.37 Mon Jul 6 07:41 - 12:27 [04:45] reboot system boot 5.4.0-33-generic Mon Jul 6 07:21 - 12:27 [05:06] ostechni pts/3 192.168.225.37 Sat Jul 4 12:01 - 12:12 [00:10] ostechni pts/2 192.168.225.37 Sat Jul 4 11:14 - 13:01 [01:46] ostechni pts/0 192.168.225.37 Sat Jul 4 07:55 - 13:01 [05:05] reboot system boot 5.4.0-33-generic Sat Jul 4 07:53 - 13:03 [05:09] ostechni tty1 Fri May 29 10:07 - down [00:00] reboot system boot 5.4.0-33-generic Fri May 29 10:06 - 10:07 [00:01] ostechni pts/0 192.168.225.37 Fri May 29 09:36 - 10:06 [00:29] ostechni tty1 Fri May 29 09:36 - down [00:29] reboot system boot 5.4.0-31-generic Fri May 29 09:35 - 10:06 [00:30] ostechni tty1 Sun May 24 13:17 - down [00:02] reboot system boot 5.4.0-31-generic Sun May 24 13:16 - 13:20 [00:03] wtmp begins Sun May 24 13:16:52 20201
If you want to only list login records since January 07, 2021 to till date, run:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running reboot system boot 5.4.0-48-generic Fri Nov 20 10:13 - 11:44 [01:31] . . . reboot system boot 5.4.0-33-generic Wed Jul 8 08:49 - 11:41 [02:52] ostechni web console Mon Jul 6 08:19 - 08:20 [00:00] ostechni pts/2 192.168.225.37 Mon Jul 6 08:14 - 08:30 [00:15] ostechni pts/0 192.168.225.37 Mon Jul 6 07:41 - 12:27 [04:45] reboot system boot 5.4.0-33-generic Mon Jul 6 07:21 - 12:27 [05:06] ostechni pts/3 192.168.225.37 Sat Jul 4 12:01 - 12:12 [00:10] ostechni pts/2 192.168.225.37 Sat Jul 4 11:14 - 13:01 [01:46] ostechni pts/0 192.168.225.37 Sat Jul 4 07:55 - 13:01 [05:05] reboot system boot 5.4.0-33-generic Sat Jul 4 07:53 - 13:03 [05:09] ostechni tty1 Fri May 29 10:07 - down [00:00] reboot system boot 5.4.0-33-generic Fri May 29 10:06 - 10:07 [00:01] ostechni pts/0 192.168.225.37 Fri May 29 09:36 - 10:06 [00:29] ostechni tty1 Fri May 29 09:36 - down [00:29] reboot system boot 5.4.0-31-generic Fri May 29 09:35 - 10:06 [00:30] ostechni tty1 Sun May 24 13:17 - down [00:02] reboot system boot 5.4.0-31-generic Sun May 24 13:16 - 13:20 [00:03] wtmp begins Sun May 24 13:16:52 20202
1.8. Display last logged in users with full date and time
The
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 [00:00] [...]8 [
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 [00:00] [...]9] option is used to display the full login and logout date and time in
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5 command's output.
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running reboot system boot 5.4.0-48-generic Fri Nov 20 10:13 - 11:44 [01:31] . . . reboot system boot 5.4.0-33-generic Wed Jul 8 08:49 - 11:41 [02:52] ostechni web console Mon Jul 6 08:19 - 08:20 [00:00] ostechni pts/2 192.168.225.37 Mon Jul 6 08:14 - 08:30 [00:15] ostechni pts/0 192.168.225.37 Mon Jul 6 07:41 - 12:27 [04:45] reboot system boot 5.4.0-33-generic Mon Jul 6 07:21 - 12:27 [05:06] ostechni pts/3 192.168.225.37 Sat Jul 4 12:01 - 12:12 [00:10] ostechni pts/2 192.168.225.37 Sat Jul 4 11:14 - 13:01 [01:46] ostechni pts/0 192.168.225.37 Sat Jul 4 07:55 - 13:01 [05:05] reboot system boot 5.4.0-33-generic Sat Jul 4 07:53 - 13:03 [05:09] ostechni tty1 Fri May 29 10:07 - down [00:00] reboot system boot 5.4.0-33-generic Fri May 29 10:06 - 10:07 [00:01] ostechni pts/0 192.168.225.37 Fri May 29 09:36 - 10:06 [00:29] ostechni tty1 Fri May 29 09:36 - down [00:29] reboot system boot 5.4.0-31-generic Fri May 29 09:35 - 10:06 [00:30] ostechni tty1 Sun May 24 13:17 - down [00:02] reboot system boot 5.4.0-31-generic Sun May 24 13:16 - 13:20 [00:03] wtmp begins Sun May 24 13:16:52 20203
Sample output:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running reboot system boot 5.4.0-48-generic Fri Nov 20 10:13 - 11:44 [01:31] . . . reboot system boot 5.4.0-33-generic Wed Jul 8 08:49 - 11:41 [02:52] ostechni web console Mon Jul 6 08:19 - 08:20 [00:00] ostechni pts/2 192.168.225.37 Mon Jul 6 08:14 - 08:30 [00:15] ostechni pts/0 192.168.225.37 Mon Jul 6 07:41 - 12:27 [04:45] reboot system boot 5.4.0-33-generic Mon Jul 6 07:21 - 12:27 [05:06] ostechni pts/3 192.168.225.37 Sat Jul 4 12:01 - 12:12 [00:10] ostechni pts/2 192.168.225.37 Sat Jul 4 11:14 - 13:01 [01:46] ostechni pts/0 192.168.225.37 Sat Jul 4 07:55 - 13:01 [05:05] reboot system boot 5.4.0-33-generic Sat Jul 4 07:53 - 13:03 [05:09] ostechni tty1 Fri May 29 10:07 - down [00:00] reboot system boot 5.4.0-33-generic Fri May 29 10:06 - 10:07 [00:01] ostechni pts/0 192.168.225.37 Fri May 29 09:36 - 10:06 [00:29] ostechni tty1 Fri May 29 09:36 - down [00:29] reboot system boot 5.4.0-31-generic Fri May 29 09:35 - 10:06 [00:30] ostechni tty1 Sun May 24 13:17 - down [00:02] reboot system boot 5.4.0-31-generic Sun May 24 13:16 - 13:20 [00:03] wtmp begins Sun May 24 13:16:52 20204
1.9. Display hostname in the last column
The
$ last ostechnix sk pts/0 tty11 [
$ last ostechnix sk pts/0 tty12] option is used to display the hostname column last to prevent truncation.
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running reboot system boot 5.4.0-48-generic Fri Nov 20 10:13 - 11:44 [01:31] . . . reboot system boot 5.4.0-33-generic Wed Jul 8 08:49 - 11:41 [02:52] ostechni web console Mon Jul 6 08:19 - 08:20 [00:00] ostechni pts/2 192.168.225.37 Mon Jul 6 08:14 - 08:30 [00:15] ostechni pts/0 192.168.225.37 Mon Jul 6 07:41 - 12:27 [04:45] reboot system boot 5.4.0-33-generic Mon Jul 6 07:21 - 12:27 [05:06] ostechni pts/3 192.168.225.37 Sat Jul 4 12:01 - 12:12 [00:10] ostechni pts/2 192.168.225.37 Sat Jul 4 11:14 - 13:01 [01:46] ostechni pts/0 192.168.225.37 Sat Jul 4 07:55 - 13:01 [05:05] reboot system boot 5.4.0-33-generic Sat Jul 4 07:53 - 13:03 [05:09] ostechni tty1 Fri May 29 10:07 - down [00:00] reboot system boot 5.4.0-33-generic Fri May 29 10:06 - 10:07 [00:01] ostechni pts/0 192.168.225.37 Fri May 29 09:36 - 10:06 [00:29] ostechni tty1 Fri May 29 09:36 - down [00:29] reboot system boot 5.4.0-31-generic Fri May 29 09:35 - 10:06 [00:30] ostechni tty1 Sun May 24 13:17 - down [00:02] reboot system boot 5.4.0-31-generic Sun May 24 13:16 - 13:20 [00:03] wtmp begins Sun May 24 13:16:52 20205
1.10. View last login records of pseudo user "reboot"
As I mentioned earlier, the last command keeps the record of a special pseudo users named "reboot" and "shutdown".
To view last login details of "reboot" and "shutdown" users, use the following commands:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running reboot system boot 5.4.0-48-generic Fri Nov 20 10:13 - 11:44 [01:31] . . . reboot system boot 5.4.0-33-generic Wed Jul 8 08:49 - 11:41 [02:52] ostechni web console Mon Jul 6 08:19 - 08:20 [00:00] ostechni pts/2 192.168.225.37 Mon Jul 6 08:14 - 08:30 [00:15] ostechni pts/0 192.168.225.37 Mon Jul 6 07:41 - 12:27 [04:45] reboot system boot 5.4.0-33-generic Mon Jul 6 07:21 - 12:27 [05:06] ostechni pts/3 192.168.225.37 Sat Jul 4 12:01 - 12:12 [00:10] ostechni pts/2 192.168.225.37 Sat Jul 4 11:14 - 13:01 [01:46] ostechni pts/0 192.168.225.37 Sat Jul 4 07:55 - 13:01 [05:05] reboot system boot 5.4.0-33-generic Sat Jul 4 07:53 - 13:03 [05:09] ostechni tty1 Fri May 29 10:07 - down [00:00] reboot system boot 5.4.0-33-generic Fri May 29 10:06 - 10:07 [00:01] ostechni pts/0 192.168.225.37 Fri May 29 09:36 - 10:06 [00:29] ostechni tty1 Fri May 29 09:36 - down [00:29] reboot system boot 5.4.0-31-generic Fri May 29 09:35 - 10:06 [00:30] ostechni tty1 Sun May 24 13:17 - down [00:02] reboot system boot 5.4.0-31-generic Sun May 24 13:16 - 13:20 [00:03] wtmp begins Sun May 24 13:16:52 20206
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running reboot system boot 5.4.0-48-generic Fri Nov 20 10:13 - 11:44 [01:31] . . . reboot system boot 5.4.0-33-generic Wed Jul 8 08:49 - 11:41 [02:52] ostechni web console Mon Jul 6 08:19 - 08:20 [00:00] ostechni pts/2 192.168.225.37 Mon Jul 6 08:14 - 08:30 [00:15] ostechni pts/0 192.168.225.37 Mon Jul 6 07:41 - 12:27 [04:45] reboot system boot 5.4.0-33-generic Mon Jul 6 07:21 - 12:27 [05:06] ostechni pts/3 192.168.225.37 Sat Jul 4 12:01 - 12:12 [00:10] ostechni pts/2 192.168.225.37 Sat Jul 4 11:14 - 13:01 [01:46] ostechni pts/0 192.168.225.37 Sat Jul 4 07:55 - 13:01 [05:05] reboot system boot 5.4.0-33-generic Sat Jul 4 07:53 - 13:03 [05:09] ostechni tty1 Fri May 29 10:07 - down [00:00] reboot system boot 5.4.0-33-generic Fri May 29 10:06 - 10:07 [00:01] ostechni pts/0 192.168.225.37 Fri May 29 09:36 - 10:06 [00:29] ostechni tty1 Fri May 29 09:36 - down [00:29] reboot system boot 5.4.0-31-generic Fri May 29 09:35 - 10:06 [00:30] ostechni tty1 Sun May 24 13:17 - down [00:02] reboot system boot 5.4.0-31-generic Sun May 24 13:16 - 13:20 [00:03] wtmp begins Sun May 24 13:16:52 20207
2. Display failed login attempts using lastb in Linux
The
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]6 is same as
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5 command, but it only lists all the bad login attempts. It gets the failed login details from the
$ last ostechnix sk pts/0 tty15 file.
Please note that your system only logs information in the
$ last ostechnix sk pts/0 tty16 file if it is present. If this file is not available for any reason, simply create it with
$ last ostechnix sk5 command like below:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running reboot system boot 5.4.0-48-generic Fri Nov 20 10:13 - 11:44 [01:31] . . . reboot system boot 5.4.0-33-generic Wed Jul 8 08:49 - 11:41 [02:52] ostechni web console Mon Jul 6 08:19 - 08:20 [00:00] ostechni pts/2 192.168.225.37 Mon Jul 6 08:14 - 08:30 [00:15] ostechni pts/0 192.168.225.37 Mon Jul 6 07:41 - 12:27 [04:45] reboot system boot 5.4.0-33-generic Mon Jul 6 07:21 - 12:27 [05:06] ostechni pts/3 192.168.225.37 Sat Jul 4 12:01 - 12:12 [00:10] ostechni pts/2 192.168.225.37 Sat Jul 4 11:14 - 13:01 [01:46] ostechni pts/0 192.168.225.37 Sat Jul 4 07:55 - 13:01 [05:05] reboot system boot 5.4.0-33-generic Sat Jul 4 07:53 - 13:03 [05:09] ostechni tty1 Fri May 29 10:07 - down [00:00] reboot system boot 5.4.0-33-generic Fri May 29 10:06 - 10:07 [00:01] ostechni pts/0 192.168.225.37 Fri May 29 09:36 - 10:06 [00:29] ostechni tty1 Fri May 29 09:36 - down [00:29] reboot system boot 5.4.0-31-generic Fri May 29 09:35 - 10:06 [00:30] ostechni tty1 Sun May 24 13:17 - down [00:02] reboot system boot 5.4.0-31-generic Sun May 24 13:16 - 13:20 [00:03] wtmp begins Sun May 24 13:16:52 20208
Now we can display the failed login attempts using lastb command like below:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running reboot system boot 5.4.0-48-generic Fri Nov 20 10:13 - 11:44 [01:31] . . . reboot system boot 5.4.0-33-generic Wed Jul 8 08:49 - 11:41 [02:52] ostechni web console Mon Jul 6 08:19 - 08:20 [00:00] ostechni pts/2 192.168.225.37 Mon Jul 6 08:14 - 08:30 [00:15] ostechni pts/0 192.168.225.37 Mon Jul 6 07:41 - 12:27 [04:45] reboot system boot 5.4.0-33-generic Mon Jul 6 07:21 - 12:27 [05:06] ostechni pts/3 192.168.225.37 Sat Jul 4 12:01 - 12:12 [00:10] ostechni pts/2 192.168.225.37 Sat Jul 4 11:14 - 13:01 [01:46] ostechni pts/0 192.168.225.37 Sat Jul 4 07:55 - 13:01 [05:05] reboot system boot 5.4.0-33-generic Sat Jul 4 07:53 - 13:03 [05:09] ostechni tty1 Fri May 29 10:07 - down [00:00] reboot system boot 5.4.0-33-generic Fri May 29 10:06 - 10:07 [00:01] ostechni pts/0 192.168.225.37 Fri May 29 09:36 - 10:06 [00:29] ostechni tty1 Fri May 29 09:36 - down [00:29] reboot system boot 5.4.0-31-generic Fri May 29 09:35 - 10:06 [00:30] ostechni tty1 Sun May 24 13:17 - down [00:02] reboot system boot 5.4.0-31-generic Sun May 24 13:16 - 13:20 [00:03] wtmp begins Sun May 24 13:16:52 20209
Sample output:
$ last ostechnix0
The above commands lists all unsuccessful login attempts by all users in the Linux system. It also shows failed login attempts that took place via SSH.
3. Find last logged in users in Linux with lastlog command
The lastlog command shows the most recent login of all users or of a specific user in Linux and Unix-like operating systems. It retrieves the list of last logged in users from
$ last ostechnix sk pts/0 tty18 file and displays the result in standard output.
To display the most recent login of all users, run:
$ last ostechnix1
Sample output:
$ last ostechnix2
As you see in the above output,
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]7 command displays the last login records of system user accounts as well as other service accounts such as
$ last00,
$ last01,
$ last02,
$ last03,
$ last04 etc.
The
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]7 command prints the login-name, port, source IP address from which the user logged in and the last login date and time. If an user has never logged in, it will print the message
$ last06 instead of the port and time in the output.
You might be wondering why there are many service accounts have never logged in. This is because the login shells for these accounts are set to either
$ last07. It is common security practice used to limit direct access to the shell.
3.1. Display last logged in details of a specific user
If you want to display lastlog record of a specified user, for example ostechnix, the command would be:
$ last ostechnix3
Sample output:
$ last ostechnix4
3.2. Display last logged in records before or recent than X days
The
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]7 command can able to display recent login records before than or recent than X days.
For instance, you can get recent login records of all users before than 5 days using
$ last09 flag like below:
$ last ostechnix5
Similarly, to display login records more recent than 5 days, use
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 [00:00] [...]2 flag:
$ last ostechnix6
3.3. Remove or clear the last login information using lastlog in Linux
If you don't want the lastlog record of an user, just clear them using
$ last11 [
$ last12] flag:
$ last ostechnix7
To verify if the log record is cleared, run:
$ last ostechnix8
Getting help
For more details, refer the help section of the respective command.
$ last ostechnix9
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]0
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]1
Or go through the man pages of each command:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]2
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]3
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]4
Conclusion
The
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]5,
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]6 and
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 [02:28] [...]7 commands comes in rescue to detect suspicious user activities in a Linux system. Finding who is recently logged in [or logged out from] the Linux server, when did they log in and for how long are the important details that will definitely help you at troubleshooting times.
Related read:
- How To Find Currently Logged In Users In Linux
- How To List All Users In Linux
- How To Monitor User Activity In Linux
- How To Limit User’s Access To The Linux System
Find last logged in userslastlastblastlogLinuxLinux administrationLinux basicsLinux commandsLinux tipsLinux user management