How to Use the last Command on Linux

Linux laptop displaying a bash promptFatmawati Achmad Zaenuri /

Who, when and where? According to good security practices, you must know who is accessing your Linux computer. We show you how.

The wtmp file

Linux and other Unix-like operating systems such as MacOS are very good for logging. Somewhere in the bowels of the system, there is a log that contains just about anything you can think of. The log file we are interested in is called wtmp. The "w" could mean "when" or "who" – no one seems to agree. The "tmp" part probably means "temporary", but can also mean "timestamp".

What we do know is that wtmp is a log that records and records each connection and disconnect event. Examining the data in the wtmp log is a fundamental step to take a security-oriented approach in your system administration tasks. For a typical home computer, security may not be as critical, but it's worth looking at your combined use of the computer.

Unlike most Linux text log files, wtmp is a binary file. To access the data it contains, we must use a tool designed for this task.

This tool is the last order.

The last order

The last command reads the wtmp log data and displays it in a terminal window.

If you type last and press Enter, it will be view all records from the log file.


last command in a terminal window

Each record of wtmp is displayed in the terminal window.

From left to right, each line contains:

The user name of the person who has logged on.
The terminal to which they were connected. A terminal entry of: 0 means that they have been connected to the Linux computer itself.
The IP address of the machine to which they were connected.
The time of connection and the time stamp.
The duration of the session

last output in a terminal window

The last line tells us the date and time of the first session recorded in the log.

A login for the fictitious user 'reboot' is written to the log each time the computer is started. The terminal field is replaced by the kernel version. The duration of the connected session for these entries represents the time of availability of the computer.

Display of a specific number of lines

The use of the last command alone generates a flush of the entire log, most of which passes beyond the terminal window. The part that remains visible corresponds to the oldest data of the newspaper. This is probably not what you wanted to see.

You can say last to give you a specific number of output lines. To do this, specify the number of lines you want on the command line. Note the hyphen. To see five lines, you must type -5 instead of 5:

last -5

last -5 in a terminal window

This gives the first five lines of the log, which are the most recent data.

first five lines of twmp in a terminal window

Display network names for remote users

The -d (Domain Name System) option tells the last to try to resolve the IP addresses of remote users to a machine or network name.

last -d

last -d in a terminal window

For the last time, it is not always possible to convert the IP address to a network name, but the command will do it when it can.

last -d output in a terminal window

Hiding IP addresses and network names

If you are not interested in the IP address or network name, use the -R (no hostname) option to remove this field.

last -R in a terminal window

Since this gives a sharper output without ugly envelopes, this option has been used in all of the following examples. If you used last to try to identify unusual or suspicious activity, you would not delete this field.

last -R output in a terminal window

Selecting records by date

You can use the -s (since) option to limit the output to only show connection events that have occurred since a given date.

If you only want to see login events that occurred on May 26, 2019, use the following command:

last -R -s 2019-05-26

last -R -s 2019-05-26 in a terminal window

The output displays the records with the connection events that took place from the 00:00 time on the specified day, to the most recent log file records.

Last issue -R -s 2019-05-26 in a terminal window

Search until end date

You can use the -t (up to) to specify an end date. This allows you to select a set of records that occurred between two dates of interest.

last -R -s 2019-05-26 -t 2019-05-27 in a terminal window

This command last requests to retrieve and display the connection records from 00:00 (dawn) on the 26th to 00:00 (dawn) on the 27th. This narrows the list to login sessions that took place on the 26th only.

Last issue -R -s 2019-05-26 -t 2019-05-27 in a terminal window

Time and date formats

You can use times and dates with the -s and -t options.

The different time formats that can be used with the latest options using dates and times are (allegedly):

YYYY-MM-DD hh: mm: ss
YYYY-MM-DD hh: mm – seconds are set to 00
YYYY-MM-DD – time is set to 00:00:00
hh: mm: ss – the date is set today
hh: mm – the date will be fixed today, the second to 00
yesterday – the time is set to 00:00:00
Today – time is 00:00:00
tomorrow – the time is set to 00:00:00
+ 5min
-5 days

Why "so-called"?

The second and third formats in the list did not work while searching for this article. These commands have been tested on the Ubuntu, Fedora and Manjaro distributions. These are derivatives of the Debian, RedHat and Arch distributions, respectively. This covers all major families of the Linux distribution.

last -R -s 2019-05-26 11:00 -t 2019-05-27 13:00

Exit of a last failed command in a terminal window

As you can see, the command did not return any records.

Using the first date and time format of the list with the same date and time as the previous command returns records:

last -R -s 20190526110000 -t 20190527130000

last -R -s 20190526110000 -t 20190527130000 in a terminal window

Search by relative units

You also specify periods measured in minutes or days, relative to the current date and time. Here we ask for records from two days to one day.

last -R -s -2 days -t -1 days

last -R -s -2 days -t -1 days in a terminal window

Yesterday, today and now

You can use yesterday and tomorrow in abbreviated form for yesterday and today.

last -R -s yesterday -t today

last -R -s yesterday -t today in a terminal window

Not that it will not include any registration for today. This is the expected behavior. The command requests records from the start date to the end date. It does not include the recordings of the end date.

Exit of the last -R -s yesterday -t today in a terminal window

The option now is abbreviated for "today at the present time". To see the login events that have occurred since 00:00 (dawn) until you run the command, use this command:

last -R -s today -t now

last -R -s today - now in a terminal window

This will show all connection events so far, including those that are still connected.

last -R -s release today -t now

The current option

The -p (present) option lets you know who has been connected at a given time.

No matter when you log in or out, but if they were connected to the computer at the time you specify, they will be included in the list.

If you specify a time without a date the last one assumes you mean "today".

last -R -p 09:30

last -R -p 09:30 in a terminal window

People who are always connected (obviously) do not have a disconnect time; they are described as always connected. If the computer has not been restarted since the specified time, it will be listed as still running.

Release of the latest -R -p 09:30

If you use the shortcut now with the -p (present) option, you can find out who is logged in when you run the command.

last -R -p now

last -R -p now in a terminal window

It's a long way to realize what can be accomplished using the command that.

Exit the last -R -p now in a terminal window

RELATED: How to determine the current user account on Linux

The last order

The last order deserves to be mentioned. It reads data from a log called btmp. There is a little more consensus on this newspaper name. The "b" means bad, but the "tmp" part is still under debate.

lastb lists unsuccessful login attempts (failed). It accepts the same options as the last one. Since login attempts have failed, they will all have a duration of 00:00.

You must use sudo with lastb.

sudo lastb -R

lastb - R in a terminal window

The last word on the subject

Know who has logged on to your Linux computer, when and where it is needed. By combining this information with the details of unsuccessful login attempts, you are familiar with the early stages of looking for suspicious behavior.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.