
If you are managing a multi-user system, you need to know who, when, and from which users are logging on to the machine.
last
is a command line utility that displays information about the last login session of the system user. This is especially useful when you need to track user activity or investigate possible system breaches.
This article describes how to audit who logged into the system using commands last
.
How to Use Commands last
Syntax for commands last
is as follows:
last [OPTIONS] [USER] [...]
Every time a user logs into the system, a record for that login session is written to a file /var/log/wtmp
. Command last
reads the wtmp file and prints out information about the login and logout of the user. Notes are printed in reverse chronological order, starting with the most recent.
When last
called without any options or arguments, the result will look like this:
rudi pts/0 10.10.0.7 Fri Feb 21 21:23 still logged in rudi pts/0 10.10.0.7 Tue Feb 18 22:34 - 00:05 (01:31) lisa :0 :0 Thu Feb 13 09:19 gone - no logout reboot system boot 4.15.0-74-g Fri Jan 24 08:03 - 08:03 (00:00) ...
Each line of output contains the following columns from left to right:
- Username. When the system reboots or shuts down,
last
show usersreboot
andshutdown
. tty
where the session takes place.:0
means that the user is logged into the desktop environment.- The IP address or hostname where the user is logged in.
- Session start and stop.
- Session duration. If the session is still active or the user is not logged out,
last
will display information about the session, not the duration of the session.
To restrict output to a specific user or tty, pass the username or tty as an argument to the command last
:
last rudi last pts/0
You can also specify multiple usernames and as arguments:
last rudi root pts/0
Command Options last
last
accepts several options that allow you to limit, format, and filter the output. In this section, we will cover the most common.
To specify the number of lines you want to print on the command line, provide a number starting with a dash for the command last
. For example, to print only the last ten login sessions, the command you would type:
last -10
With options -p
( --present
), you can find out who logged into the system on a certain date.
last -p 2021-06-22

Use option -s
( --since
) and -t
( --until
) to inform the order last
to display rows since or until the specified time. These two options are often used together to specify the time interval for which you want the information to be retrieved. For example, to display login records from February 13 to February 18, the command you would run:
last -s 2020-02-13 -u 2020-02-18
For options -p
, -s
and -t
can be specified in the following format:
YYYYMMDDhhmmss YYYY-MM-DD hh:mm:ss YYYY-MM-DD hh:mm (seconds will be set to 00) YYYY-MM-DD (time will be set to 00:00:00) hh:mm:ss (date will be set to today) hh:mm (date will be set to today, seconds to 00) now yesterday (time is set to 00:00:00) today (time is set to 00:00:00) tomorrow (time is set to 00:00:00) +5min -5days
By default, last
does not show seconds and year. Use option -F
, --full times
to view the full entry and exit times and dates:
last -F

Option -i
( --ip
) compel last
to always display the IP address, and -d
( --dns
) to display the hostname
last -i

Conclusion
Command last
prints information about user login and logout times. For more information about this command, type man last
in your terminal.
Leave a Reply