last command in Linux with Examples – View history of user logins
This last command guide is a follow-up of my previous 90 Linux Commands frequently used by Linux Sysadmins article. Every week, or as time allows, I will publish articles on around 90 commands geared toward Linux sysadmins and Linux power users. Let’s continue this series with the last command.
You may be working with other system administrators and developers who all have to log in to the same system. At some point, you will want to view a list of the last users who logged in, from where, and what time. Meet the last command for Linux and Unix-like systems.
Table of Contents
last command examples
The last command usually reads from the log file /var/log/wtmp and prints the history of successful user login attempts as well as any currently logged-in users. The last logged-in users appear at the top of the list. We will also look at similar commands, namely: lastb and lastlog.
To view last logins, their duration, and other details, use:
last
To show only the last 10 logins, use:
last -n 10
To print the full date and time of entries with their IPs, use:
last -F
To view all logins by a specific user and show the IP address instead of the hostname, use:
last username
To view all recorded reboots, use:
last reboot
To view all recorded shutdowns, use:
last shutdown
To check when was the file /var/log/wtmp was written last, use:
stat /var/log/wtmp
You can also filter by users or ttys, in which case last will show only entries matching those arguments. Ttys can be abbreviated. For example, last 7 is the same as last tty7.
lastb command examples
lastb is the same as last, except that it shows the log of the last failed login attempts.
To show a list of all failed login attempts, use:
sudo lastb
To show a list of failed login attempts since a given time, use:
sudo lastb --since YYYY-MM-DD
To show a list of failed login attempts until a given time, use:
sudo lastb --until YYYY-MM-DD
To show a list of all failed login attempts at a specific time, use:
sudo lastb --present hh:mm
These options apply to both last and lastb:
Screenshot and below excerpt are from: man last.
-a, –hostlast – Display the hostname in the last column. Useful in combination with the –dns option.
-d, –dns – For non-local logins, Linux stores not only the hostname of the remote host but its IP number as well. This option translates the IP number back into a hostname.
-f, –file – Tell last to use a specific file instead of /var/log/wtmp. The –file option can be given multiple times, and all of the specified files will be processed.
-F, –fulltimes – Print full login and logout times and dates.
-i, –ip – Like –dns , but displays the host’s IP number instead of the name.
-n, –limit number – Tell last how many lines to show.
-p, –present time – Display the users who were present at the specified time. This is like using the
options –since and –until together with the same time.
-R, –nohostname – Suppresses the display of the hostname field.
-s, –since time – Display the state of logins since the specified time. This is useful, e.g., to easily determine who was logged in at a particular time. The option is often combined with –until.
-t, –until time – Display the state of logins until the specified time.
–time-format format – Define the output timestamp format to be one of notime, short, full, or iso. The notime variant will not print any timestamps at all, short is the default, and full is the same as the –fulltimes option. The iso variant will display the timestamp in ISO-8601 format. The ISO format contains timezone information, making it preferable when printouts are investigated outside of the system.
-w, –fullnames – Display full user names and domain names in the output.
-x, –system – Display the system shutdown entries and run level changes.
lastlog command with examples
Also useful is the lastlog command. The lastlog command shows the most recent login for all users or a specific user.
To show the most recent login of all users, use:
lastlog
To show a record of the specific user, use:
lastlog -u username
To show logins older than 1 day, use:
lastlog -b 1
To show records more recent than 7 days, use:
lastlog -t 7
Sorting the output:
For all of these commands (last, lastb, and lastlog), you can reverse the output using tac. For example:
last | tac
Related commands:
- who – print who is currently logged in.
- w – a quick summary of every user logged into a computer.
- lastcomm – List Last Executed Commands of User.
Conclusion
If you are accessing Linux servers along with other system administrators and developers, last, lastb, and lastlog provide a fast way to view a list of last and currently logged-in users.