If you are managing a multiuser system, you’ll often need to know who, when, and from where logged into the machine.
last is a command-line utility that displays information about the last login sessions of the system users. It is very useful when you need to track user activity or investigate a possible security breach.
This article explains how to audit who logged into the system using the
How to Use the
The syntax for the
last command is as follows:
last [OPTIONS] [USER] [<TTY>...]
Each time a user logs into the system, a record for that session is written to the
last reads the file
wtmp file and prints information about the logins and logouts of the users. Records are printed in reverse time order, starting from the most recent ones.
last is invoked without any option or argument, the output looks something like this:
mark pts/0 10.10.0.7 Fri Feb 21 21:23 still logged in mark pts/0 10.10.0.7 Tue Feb 18 22:34 - 00:05 (01:31) lisa :0 :0 Thu Feb 13 09:19 gone - no logout reboot system boot 4.15.0-74-g Fri Jan 24 08:03 - 08:03 (00:00) ...
Each line of output contains the following columns from left to right:
- The user name. When the system reboots or shuts down,
lastshows the special users
- The tty on which the session took place.
:0usually means that the user was logging in to a desktop environment.
- The IP address or the hostname from which the user logged in.
- The session start and stop times.
- The duration of the session. If the session is still active or the user didn’t logout, last will show information about that instead of the duration.
To restrict the output to a specific user or tty, pass the user name or tty as an argument to the
You can also specify multiple usernames and ttys as arguments:
last mark root pts/0
last Command Options
last accepts several options that allow you to limit, format, and filter the output. In this section, we’ll cover the most common ones.
To specify the number of lines you’d like to be printed on the command line, pass the number preceded by a single hyphen to
last. For example, to print only the last ten login sessions you would type:
--present) option, you can find out who logged into the system on a specific date.
last -p 2020-01-15
--until) option to tell
last to display the lines since or until the specified time. These two options are often used together to define a time interval for which you want the information to be retrieved. For example to display the login records from Feb 13 to Feb 18, you would run:
last -s 2020-02-13 -u 2020-02-18
The time passed to the
-t options can be specified in the following formats:
YYYYMMDDhhmmss YYYY-MM-DD hh:mm:ss YYYY-MM-DD hh:mm (seconds will be set to 00) YYYY-MM-DD (time will be set to 00:00:00) hh:mm:ss (date will be set to today) hh:mm (date will be set to today, seconds to 00) now yesterday (time is set to 00:00:00) today (time is set to 00:00:00) tomorrow (time is set to 00:00:00) +5min -5days
last doesn’t show the seconds and the year. Use the
--fulltimes option to view full login and logout times and dates:
--ip) option forces
last to always show IP address, and the
--dns) to show hostnames:
last command prints information about the users’ login and logout times. For more information about the command, type
man last in your terminal.
If you have any questions, please leave a comment below.