How to use the last command in Linux

Who, when and from where? Good security practices say that you should know who has been accessing your Linux computer. We show you how.

The wtmp file

Linux and other Unix-like operating systems, like macOS, they are very good to log in. Somewhere in the bowels of the system, there is a record of almost everything you can think of. The log file that interests us is called wtmp. The “w” it could mean “it could mean” O “who”, nobody seems to agree. The part “tmp” it could mean “temporal”, it could mean “it could mean”.

What we do know is that wtmp is a log that captures and records all login and logout events. Reviewing the data in the wtmp log is a basic step in taking a security-based approach to your system administration tasks. For a typical family computer, may not be as critical from a security point of view, but it is interesting to be able to review the combined use of the computer.

Unlike many of the text-based log files in Linux, wtmp it is a binary file. To enter the data it contains, we need to use a tool designed for that task.

That tool is the last command.

The last command

the last command reads data from wtmp log and displays it in a terminal window.

If you write last and press Enter show all records from the log file.

last

Each record of wtmp is displayed in the terminal window.

From left to right, each line contains:

• the Username of the person who logged in.
• the Terminal they were connected. A terminal input of :0 means they logged into the Linux computer itself.
• the IP adress of the machine they were connected to.
• the access date and time stamp.
• the duration of the session.

The last line tells us the date and time of the first session registered in the registry.

A login entry for the dummy user ‘restart’ is entered into the registry each time the computer is started. The terminal field is replaced with the kernel version. The length of the logged in session for these entries represents the uptime of the computer.

Show a specific number of lines

Using the last The command alone produces a dump of the entire log with most of it going through the terminal window. The part that remains visible is the first data of the record. This is probably not what you wanted to see.

You can say last to give you a specific number of output lines. Do this by providing the number of lines you want on the command line. Note the script. To see five lines, must write -5 and no 5:

last -5

This gives the first five lines of the record, what is the most recent data.

Show network names for remote users

the -d The option (Domain name system) indicates last to try to troubleshoot remote users' IP addresses on a hostname or network.

last -d

It is not always feasible for last to convert the IP address to a network name, but the command will do it when feasible.

Hide IP addresses and network names

If you are not interested in the IP address or the network name, Use the -R (no hostname) to suppress this field.

Because this gives a neater output without unsightly wraps, this option has been used in all the following examples. If you were using last to try to identify unusual or suspicious activity, it should no delete this field.

Choose records by date

You can use the -s (from) to restrict the output to show only login events that occurred from a specific date.

If you only wanted to see the login events that took place as of the 26 May 2019, I would use the following command:

last -R -s 2019-05-26

The output shows logs with login events that occurred from the time 00:00 of the specified day, up to the most recent records in the log file.

Searching for an end date

You can use the -t (until) to specify an end date. This enables you to choose a set of login records that occurred between two dates of interest.

This command asks last to retrieve and display the login records from the 00:00 (dawn) of the day 26 until 00:00 (dawn) of the day 27. This reduces the list to the login sessions that took place only on the day 26.

Date and time formats

You can use both times and dates with the -s and -t options.

The different time formats that can be used with the last The alternatives that use dates and times are (supposedly):

• AAAAMMDDhhmmss
• AAAA-MM-DD hh: mm: ss
• AAAA-MM-DD hh: mm – seconds are set to 00
• AAAA-MM-DD: the time is set to 00:00:00
• hh: mm: ss – the date is set to today
• hh: mm: the date will be set to today, the seconds in 00
• now
• Yesterday – the time is set to 00:00:00
• today – the time is set to 00:00:00
• morning – the time is set to 00:00:00
• + 5min
• -5 days

Why 'supposedly'?

The second and third format of the list did not work during the research for this post. These commands were tested on Ubuntu distributions, Fedora and Manjaro. These are derived from Debian distributions, RedHat y Arch, respectively. That covers all the major Linux distribution families.

last -R -s 2019-05-26 11:00 -t 2019-05-27 13:00

As you can see, the command did not return any records.

Use the first datetime format in the list with the same datetime as the above command returns records:

last -R -s 20190526110000 -t 20190527130000

Search by relative units

It also specifies periods of time that are measured in minutes or days., in connection with the current date and time. Here we are requesting records from two days ago to one day ago.

last -R -s -2days -t -1days

Yesterday, today and now

You can use yesterday and tomorrow as an abbreviation for yesterday's date and today's date.

last -R -s yesterday -t today

Not that this does not include any records for today. That is the expected behavior. The command requests records from the start date. until the end date. It does not include records within the end date.

the now it could mean “it could mean”. To view the login events that have occurred since 00:00 (dawn) until the moment you issue the command, use this command:

last -R -s today -t now

This will show all login events up to the current time, including those that are still connected.

The current option

the -p The option (here I'm) enables you to find out who is logged in at a specific time.

It doesn't matter when they logged in or left, but if they logged into the computer at the time you specify, will be included in the list.

If you specify an undated time last it could mean “today”.

last -R -p 09:30

People who are still connected (evidently) they don't have time to disconnect; are described as still logged in . If the computer has not restarted since the time you specify, will appear as still running.

If you use the now shorthand with -p (here I'm) option, you can find out who is online the moment you issue the command.

last -R -p now

This is a somewhat long way to achieve what can be achieved using the who command.

RELATED: How to determine the current user account in Linux

The last command

the lastb command deserves mention. Read data from a record called btmp. There is a bit more consensus on this registry name. La ‘b’ means bad, but the 'tmp part’ is still up for debate.

lastb list the bad guysfailed) access attempts. Accept the same options as last. Because they were failed login attempts, all entries will have an extension of 00:00.

You must use sudo with lastb.

sudo lastb -R

The last word on the matter

Know who is logged into your Linux computer, and when and where is useful information from. Combining this with the details of failed login attempts provides you with the first steps in investigating suspicious behavior..