- 1 Last command syntax and options
- 2 Examples of how to use last
- 3 Conclusions
Sometimes when administering a server running Linux, you need to view the history of logins and logouts for users. This is convenient to do with the last command. Although it will come in handy in other situations.
In this article, we will describe in detail how last works in Linux, what its syntax is and the options available. And then let’s move on to specific use cases and look at a few scenarios.
Last command syntax and options
By default, this utility takes data from the /var/log/wtmp file and displays a complete list of logged-on and logged-out users. Let’s look at its syntax. In the terminal, you need to specify the options, the name of one or more users and tty:
last username name option_tty
You may use lastb instead of last. The default file in this scenario is /var/log/btmp, which saves all unsuccessful login attempts. Let us now go over the different options:
- -a, –hostlast – display hostname information in the last column. Initially, it appears in the third column.
- -d, –dns – display the user’s IP address in case of a remote connection. Convenient to use together with the previous option.
- -f, –file – select your file to load data instead of the default /var/log/wtmp. The option can be used multiple times by selecting two or more files.
- -F, –fulltimes – display the full date and time of logins and logoffs.
- -i, –ip – display the USER’s IP address when connecting remotely instead of the hostname. This is somewhat similar to the –dns option mentioned earlier.
- -number, -n, –limit – specify how many lines of information will be displayed when the command is executed.
- -p, –present – display information about sessions at a specific time.
- -R, –nohostname – do not display the hostname column.
- -s, –since – display information starting from a specified point in time.
- -t, –until — display information before the specified time.
- –time-format – choose one of the 4 available ways to display the time: notime – not to display information at all, short – the standard option used by default, full – full information, as in the case of the –fultimes option, iso – use the ISO-8601 format, which includes the time zone.
- -w, –fullname — display fully qualified user and domain names.
- -x, –system – display records about shutting down the system and changing the run level.
In the terminal, you may get detailed information about the last command, syntax, and all options:
Now, let’s look at some examples of how it’s used.
Examples of how to use last
First, consider a method for seeing the whole history of inputs and outputs, describing each area in detail. Let’s now look at the data for a single user. These are the primary circumstances that might be useful.
We’ll also look at a few viable alternatives. To go to the proper one, use the table of contents.
View the complete history
The primary goal is to obtain full information for all users. For this reason, the following arguments should be supplied to the final command: -F, -w, and -x:
last -F -w -x
Let’s take a closer look at each column:
- The username comes first. It should be noted that reboot is an individual user who arises during a reboot, shutdown when the system is shut down, and runlevel when the execution level changes.
- Details regarding the tty session.
- This is the hostname.
- It’s login time.
- It’s time to go.
- The session’s duration.
It’s worth noting that the last line of wtmp starts specifies whether or not the /var/log/btmp file exists.
The -d option will be added to the command if you need comprehensive information about distant connections:
last -d -F -w -x
As a result, the connection’s IP address will be noted in a distinct column.
A specific user’s history
When numerous people use a computer at the same time, information can only be accessed from one of them. To do this, the final utility must give its name. Consider everything in terms of the root-user user:
Limit the number of display rows
If the previous command displays too much information that is difficult to evaluate, you can lower the number of lines. This is due to the -n option. Here is an example of a command with a 4-line limit:
last -n 4
There are various more ways to input the option:
last -4 last --limit 4
View a specific day’s history
The -p option will not get the intended result since it only displays information about sessions at a certain time. As a result, the -s and -t options will be used. They choose when information collection should begin and conclude. As an example, consider the 17th of February 2022. The current date is -s. The next day is shown for -t:
last -s 2022-02-17 -t 2022-02-18
Take note of the date input format. If we’re talking about yesterday, you may substitute yesterday for the first number, and today for the second:
last -s yesterday -t today
To display information for today, set -s to today, and do not use -t:
last -s today
Instead of inputting the date, you can specify -ndays, and instead of n, provide the number of days to roll back. The command to examine data stored 6 days ago will look like this:
last -s -6days -t -5days
History for a specific period
The -s and -t options will be utilized, as in the preceding example. This time, though, you can choose any time interval. The data input formats remain the same. As an example, let’s take the time from 2022-02-18 to 2022-02-23:
last -s 2022-02-18 -t 2022-02-24
Because the data report is gathered from the beginning of the day, we provide the 24th for -t (00:00 on the clock). You may also provide the precise time for the beginning and ending points. The date and time should be given in a slightly different format in this case:
- YYYY-MM-DD hh:mm:ss
- YYYY-MM-DD hh:mm
Here is an example of a team during the time period February 17 04:57 to February 19 08:15:
last -s '2022-02-17 04:57' -t '2022-02-19 08:15'
Output the Host and Username (header 3) (-i / -r)
The user name is displayed in the first column by default, while the hostname is displayed in the third.
However, they may not be recorded in their entirety. Use the -w option to solve this:
When the -a option is used, the hostname is moved to the end:
The -i option is handy for displaying a list of remote access sessions. It replaces the hostname with the user’s IP address:
Let’s not forget about the -R option. When you type it, the last command does not show a column containing the hostname:
Full time output
The start and finish timings of a session are first recorded in a brief style. The -F option provides more comprehensive information:
I’d also want to bring up the —time-format option. You may use it to entirely disable the display of the date and time, except for the length of the session:
last --time-format notime
In addition, the following output format will be beneficial while examining remote connection sessions:
last --time-format iso
It records the time and date in accordance with the ISO-8601 standard. In this instance, the connected user’s time zone is presented individually.
In Linux, all reboots are indicated as a reboot user action in the last command. The -x option is also useful for obtaining full information on all session terminations:
We previously discussed what shutdown and runlevel users are accountable for at the start of the essay. As a result, we will not concentrate on them.
History of failed logins
The /var/log/btmp file stores the history of unsuccessful logins. Use the lastb command to easily access it. However, it should be done with the privileges of a super-user:
Otherwise, the choices and syntax are the same.
In this post, we discussed the capabilities and intricacies of the final Linux command. You will be able to see the history of system logins and logouts for all users with its assistance. This includes connecting to a PC remotely.