last Command

 

As a server administrator, you should check last login history to identify whoever logged into the system recently.

Linux is a multi-user operating system and more than one user can be logged into a system at the same time.

It’s keeping bunch of useful information about the users activity such as username, name of the terminal connected, source IP, date and time.

Also, it will show you how long the user being logged into the system.

It will help us to analyze some of the issues. Say for example, if some files get removed in the particular time then we can ask the users whoever logged into the system on the particular time.

Alternatively, we can check these information using aureport tool that produces summary reports of the audit system logs.

Similarly we can use these information for other purpose as well. Is there any anonymous login attempts are found or not.

Also, from which IP address the user has accessed the system.

These information (last login, current login and bad login attempts) can be fetched from the following files.

utmp & wtmp files contains logs for login and logout. These are binary files and we can’t able to see with any text editor.

It’s located on /etc/log directory.

• /var/run/utmp: It contains information about the users who are currently logged onto the system. Who command is used to fetch the information from the file.
• /var/log/wtmp: It contains historical utmp. It keeps the users login and logout history. The last command uses this file to display the information.
• /var/log/btmp: It contains bad login attempts.

What Is last Command?

Last searches back through the file /var/log/wtmp and displays a list of all users logged in (and out) since that file was created.

What Is lastb Command?

Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts.

Difference between pts and tty?

You may see pts and tty when you use the who command, do you know what it is? how they are different?

• A tty is a native terminal device (It could be a server/system console).
• A pty (pseudo terminal device) is a terminal device which is emulated by an other program such as putty, xterm or screen, etc,.

How To Check Login History In Linux Using last Command?

The last command fetch the details from the /var/log/wtmp file and it displays the list of users logged-in and logged-out from system.

If the file has more data then use less or more command to view the information page wise.

# last -15

daygeek  pts/0        192.168.1.6      Wed Apr  3 00:02   still logged in   
reboot   system boot  3.10.0-957.el7.x Tue Apr  2 23:50 - 00:03  (00:13)    
daygeek  pts/0        192.168.1.6      Tue Apr  2 06:02 - 06:02  (00:00)    
reboot   system boot  3.10.0-957.el7.x Tue Apr  2 06:00 - 00:03  (18:03)    
daygeek  pts/1        192.168.1.6      Sat Mar 30 10:05 - 00:18  (14:13)    
daygeek  pts/0        192.168.1.6      Sat Mar 30 04:14 - 11:21  (07:07)    
reboot   system boot  3.10.0-957.el7.x Sat Mar 30 04:03 - 00:03 (3+20:00)   
ladmin   pts/2        192.168.1.6      Fri Mar 29 02:19 - 04:30  (02:11)    
user2    pts/2        192.168.1.6      Fri Mar 29 02:10 - 02:10  (00:00)    
user1    pts/2        192.168.1.6      Fri Mar 29 02:10 - 02:10  (00:00)    
user3    pts/2        192.168.1.6      Fri Mar 29 02:01 - 02:10  (00:08)    
daygeek  pts/1        192.168.1.6      Fri Mar 29 01:48 - crash (1+02:14)   
daygeek  pts/0        192.168.1.6      Fri Mar 29 01:38 - crash (1+02:24)   
reboot   system boot  3.10.0-957.el7.x Fri Mar 29 01:31 - 00:03 (4+22:31)   
reboot   system boot  3.10.0-957.el7.x Thu Mar 28 16:05 - 00:03 (5+07:58)

How To Check Login History For Particular User In Linux Using last Command?

Just add the desired user name followed by the last command to get the details.

# last [User_Name]

# last daygeek

daygeek  pts/0        192.168.1.6      Wed Apr  3 00:02   still logged in   
daygeek  pts/0        192.168.1.6      Tue Apr  2 06:02 - 06:02  (00:00)    
daygeek  pts/1        192.168.1.6      Sat Mar 30 10:05 - 00:18  (14:13)    
daygeek  pts/0        192.168.1.6      Sat Mar 30 04:14 - 11:21  (07:07)    
daygeek  pts/1        192.168.1.6      Fri Mar 29 01:48 - crash (1+02:14)   
daygeek  pts/0        192.168.1.6      Fri Mar 29 01:38 - crash (1+02:24)   
daygeek  pts/1        daygeek-y700     Thu Mar 28 02:27 - 05:27  (03:00)    
daygeek  pts/0        :0               Thu Mar 28 02:26 - crash  (13:39)    
daygeek  :0           :0               Thu Mar 28 02:26 - crash  (13:39)    
daygeek  pts/2        192.168.1.6      Thu Mar 28 01:53 - crash  (00:29)    
daygeek  pts/0        192.168.1.6      Thu Mar 28 00:51 - crash  (01:31)    
daygeek  pts/1        192.168.1.6      Wed Mar 27 05:04 - crash  (21:18)    
daygeek  pts/0        192.168.1.6      Tue Mar 26 21:45 - 00:51 (1+03:05)   
daygeek  pts/0        192.168.1.6      Tue Mar 19 02:59 - crash (7+18:36)   
daygeek  pts/1        192.168.1.6      Tue Mar 19 02:37 - crash (7+18:58)   
daygeek  pts/0        192.168.1.6      Tue Mar 19 02:36 - 02:45  (00:09)    
daygeek  pts/1        192.168.1.6      Mon Mar 18 16:21 - 16:22  (00:00)    

How To Check Login History For Particular Period In Linux Using last Command?

If you would like to check who was logged in the system for particular period then use the following format.

#  last -F | grep -E 'Mar ([ 1-9]|1[0-9]|2[0-9]|30)' | grep 2019

daygeek  pts/0        192.168.1.6      Sat Mar 30 04:14:54 2019 - Sat Mar 30 11:21:57 2019  (07:07)    
reboot   system boot  3.10.0-957.el7.x Sat Mar 30 04:03:20 2019 - Wed Apr  3 00:09:13 2019 (3+20:05)   
ladmin   pts/2        192.168.1.6      Fri Mar 29 02:19:13 2019 - Fri Mar 29 04:30:25 2019  (02:11)    
user2    pts/2        192.168.1.6      Fri Mar 29 02:10:38 2019 - Fri Mar 29 02:10:50 2019  (00:00)    
user1    pts/2        192.168.1.6      Fri Mar 29 02:10:22 2019 - Fri Mar 29 02:10:30 2019  (00:00)    
user3    pts/2        192.168.1.6      Fri Mar 29 02:01:13 2019 - Fri Mar 29 02:10:01 2019  (00:08)    
daygeek  pts/1        192.168.1.6      Fri Mar 29 01:48:21 2019 - crash                    (1+02:14)   
root     pts/0        192.168.1.3      Tue Mar 19 02:49:09 2019 - Tue Mar 19 02:50:25 2019  (00:01)    
daygeek  pts/0        192.168.1.6      Tue Mar 19 02:36:14 2019 - Tue Mar 19 02:45:25 2019  (00:09)    
reboot   system boot  3.10.0-957.el7.x Tue Mar 19 02:33:54 2019 - Wed Apr  3 00:09:13 2019 (14+21:35)  
user2    pts/2        192.168.1.6      Mon Mar 18 16:03:13 2019 - Mon Mar 18 18:29:45 2019  (02:26)    
daygeek  pts/1        192.168.1.6      Mon Mar 18 15:59:52 2019 - Mon Mar 18 16:19:51 2019  (00:19)    
reboot   system boot  3.10.0-957.el7.x Mon Mar 18 15:52:47 2019 - Mon Mar 18 18:29:46 2019  (02:36)    
user2    pts/0        192.168.1.6      Sun Mar 17 07:30:29 2019 - crash                    (1+08:22)   
user1    pts/0        192.168.1.6      Sun Mar 17 07:09:30 2019 - Sun Mar 17 07:21:51 2019  (00:12)    
root     pts/0        192.168.1.6      Fri Mar 15 16:32:43 2019 - Fri Mar 15 16:33:54 2019  (00:01)    
user2    pts/0        192.168.1.6      Fri Mar 15 16:08:23 2019 - Fri Mar 15 16:08:24 2019  (00:00)    
root     pts/0        192.168.1.6      Fri Mar 15 01:45:10 2019 - down                      (00:01)    
reboot   system boot  3.10.0-957.el7.x Fri Mar 15 01:42:46 2019 - Fri Mar 15 01:46:37 2019  (00:03)    
root     pts/1        192.168.1.6      Sun Mar 10 10:17:51 2019 - Sun Mar 10 10:17:53 2019  (00:00)    
reboot   system boot  3.10.0-957.el7.x Sun Mar 10 03:28:14 2019 - Fri Mar 15 01:46:37 2019 (4+22:18)   
daygeek  pts/0        192.168.1.6      Wed Mar  6 08:03:29 2019 - crash                    (3+18:24)   
reboot   system boot  3.10.0-957.el7.x Wed Mar  6 07:57:47 2019 - Fri Mar 15 01:46:37 2019 (8+16:48)   
daygeek  pts/2        192.168.1.6      Mon Mar  4 08:40:14 2019 - Mon Mar  4 08:40:17 2019  (00:00)    
daygeek  :0           :0               Mon Mar  4 06:02:41 2019 - crash                    (2+01:55)

For Particular user, use the following format.

# last -F root | grep -E 'Mar ([ 1-9]|1[0-9]|2[0-9]|30)' | grep 2019

root     pts/0        192.168.1.3      Tue Mar 19 02:49:09 2019 - Tue Mar 19 02:50:25 2019  (00:01)    
root     pts/0        192.168.1.6      Tue Mar 19 02:45:46 2019 - Tue Mar 19 02:46:09 2019  (00:00)    
root     pts/1        192.168.1.3      Mon Mar 18 18:29:18 2019 - Mon Mar 18 18:29:25 2019  (00:00)    
root     pts/1        192.168.1.3      Mon Mar 18 18:21:34 2019 - Mon Mar 18 18:27:47 2019  (00:06)    
root     pts/1        192.168.1.3      Mon Mar 18 18:19:09 2019 - Mon Mar 18 18:21:24 2019  (00:02)    
root     pts/1        192.168.1.3      Mon Mar 18 16:28:46 2019 - Mon Mar 18 16:28:48 2019  (00:00)    
root     pts/1        192.168.1.3      Mon Mar 18 16:23:54 2019 - Mon Mar 18 16:24:15 2019  (00:00)    
root     pts/1        192.168.1.3      Mon Mar 18 16:22:53 2019 - Mon Mar 18 16:23:06 2019  (00:00)    
root     pts/3        192.168.1.7      Mon Mar 18 16:21:38 2019 - Mon Mar 18 16:21:40 2019  (00:00)    
root     pts/1        192.168.1.6      Mon Mar 18 16:20:07 2019 - Mon Mar 18 16:20:30 2019  (00:00)    
root     pts/0        192.168.1.6      Fri Mar 15 16:32:43 2019 - Fri Mar 15 16:33:54 2019  (00:01)    
root     pts/0        192.168.1.6      Fri Mar 15 01:47:12 2019 - crash                     (13:33)    
root     pts/0        192.168.1.6      Fri Mar 15 01:45:10 2019 - down                      (00:01)    
root     pts/1        192.168.1.6      Sun Mar 10 10:17:51 2019 - Sun Mar 10 10:17:53 2019  (00:00)    
root     pts/1        192.168.1.6      Sun Mar 10 10:16:08 2019 - Sun Mar 10 10:16:11 2019  (00:00)    
root     pts/1        192.168.1.6      Sun Mar 10 10:15:18 2019 - Sun Mar 10 10:15:42 2019  (00:00)    

How To Check Login History Based On Terminal Connected In Linux Using last Command?

To print the user based on the terminal connected. Use the following format.

# last pts/2

ladmin   pts/2        192.168.1.6      Fri Mar 29 02:19 - 04:30  (02:11)    
user2    pts/2        192.168.1.6      Fri Mar 29 02:10 - 02:10  (00:00)    
user1    pts/2        192.168.1.6      Fri Mar 29 02:10 - 02:10  (00:00)    
user3    pts/2        192.168.1.6      Fri Mar 29 02:01 - 02:10  (00:08)    
daygeek  pts/2        192.168.1.6      Thu Mar 28 01:53 - crash  (00:29)    
user2    pts/2        192.168.1.6      Mon Mar 18 16:03 - 18:29  (02:26)    
daygeek  pts/2        192.168.1.6      Mon Mar  4 08:40 - 08:40  (00:00)

How To Check Bad Login History In Linux Using lastb Command?

Lastb is the same as last but it will print the bad login attempts. Since the output was archived in the different file so, i have picked the corresponding file to check the details.

# lastb

# lastb -f /var/log/btmp-20190402

user1    ssh:notty    192.168.1.6      Fri Mar 29 02:17 - 02:17  (00:00)    
ladmin   ssh:notty    192.168.1.6      Fri Mar 29 02:12 - 02:12  (00:00)    
user2    ssh:notty    192.168.1.6      Fri Mar 29 02:00 - 02:00  (00:00)    
user1    ssh:notty    192.168.1.6      Fri Mar 29 01:53 - 01:53  (00:00)    
daygeek  :0           :0               Thu Mar 28 02:26 - 02:26  (00:00)    
root     ssh:notty    192.168.1.3      Tue Mar 19 02:50 - 02:50  (00:00)    
daygeekk ssh:notty    192.168.1.6      Tue Mar 19 02:37 - 02:37  (00:00)    
daygeekk ssh:notty    192.168.1.6      Tue Mar 19 02:37 - 02:37  (00:00)    
daygeekk ssh:notty    192.168.1.6      Tue Mar 19 02:36 - 02:36  (00:00)    
root     ssh:notty    192.168.1.3      Mon Mar 18 18:15 - 18:15  (00:00)    
root     ssh:notty    192.168.1.3      Mon Mar 18 18:14 - 18:14  (00:00)    
root     ssh:notty    192.168.1.3      Mon Mar 18 18:09 - 18:09  (00:00)    
root     ssh:notty    192.168.1.3      Mon Mar 18 18:05 - 18:05  (00:00)    
user1    ssh:notty    192.168.1.3      Mon Mar 18 16:31 - 16:31  (00:00)    
user1    ssh:notty    192.168.1.3      Mon Mar 18 16:30 - 16:30  (00:00)    
user1    ssh:notty    192.168.1.3      Mon Mar 18 16:30 - 16:30  (00:00)    
root     ssh:notty    192.168.1.3      Mon Mar 18 16:29 - 16:29  (00:00)    
root     ssh:notty    192.168.1.3      Mon Mar 18 16:25 - 16:25  (00:00)    
root     ssh:notty    192.168.1.3      Mon Mar 18 16:25 - 16:25  (00:00)    
root     pts/1                         Mon Mar 18 16:00 - 16:00  (00:00)    
user2    ssh:notty    192.168.1.6      Sun Mar 17 07:22 - 07:22  (00:00)    
root     ssh:notty    192.168.1.6      Sun Mar 10 10:15 - 10:15  (00:00)    

btmp-20190402 begins Sun Mar 10 10:15:14 2019

Run the following format to display hostnames in the last column.

# last -10 -a

daygeek  pts/0        Wed Apr  3 00:02   still logged in    192.168.1.6
reboot   system boot  Tue Apr  2 23:50 - 00:28  (00:38)     3.10.0-957.el7.x86_64
daygeek  pts/0        Tue Apr  2 06:02 - 06:02  (00:00)     192.168.1.6
reboot   system boot  Tue Apr  2 06:00 - 00:28  (18:28)     3.10.0-957.el7.x86_64
daygeek  pts/1        Sat Mar 30 10:05 - 00:18  (14:13)     192.168.1.6
daygeek  pts/0        Sat Mar 30 04:14 - 11:21  (07:07)     192.168.1.6
reboot   system boot  Sat Mar 30 04:03 - 00:28 (3+20:25)    3.10.0-957.el7.x86_64
ladmin   pts/2        Fri Mar 29 02:19 - 04:30  (02:11)     192.168.1.6
user2    pts/2        Fri Mar 29 02:10 - 02:10  (00:00)     192.168.1.6
user1    pts/2        Fri Mar 29 02:10 - 02:10  (00:00)     192.168.1.6

wtmp begins Fri Feb 15 16:03:13 2019

Run the following format to suppress the hostname field.

# last -10 -R

daygeek  pts/0        Wed Apr  3 00:02   still logged in   
reboot   system boot  Tue Apr  2 23:50 - 00:29  (00:38)    
daygeek  pts/0        Tue Apr  2 06:02 - 06:02  (00:00)    
reboot   system boot  Tue Apr  2 06:00 - 00:29  (18:29)    
daygeek  pts/1        Sat Mar 30 10:05 - 00:18  (14:13)    
daygeek  pts/0        Sat Mar 30 04:14 - 11:21  (07:07)    
reboot   system boot  Sat Mar 30 04:03 - 00:29 (3+20:25)   
ladmin   pts/2        Fri Mar 29 02:19 - 04:30  (02:11)    
user2    pts/2        Fri Mar 29 02:10 - 02:10  (00:00)    
user1    pts/2        Fri Mar 29 02:10 - 02:10  (00:00)

wtmp begins Fri Feb 15 16:03:13 2019

Run the following format to display system shutdown entries and run level changes.

# last -10 -x

daygeek  pts/0        192.168.1.6      Wed Apr  3 00:02   still logged in   
runlevel (to lvl 5)   3.10.0-957.el7.x Tue Apr  2 23:52 - 00:30  (00:37)    
reboot   system boot  3.10.0-957.el7.x Tue Apr  2 23:50 - 00:30  (00:40)    
daygeek  pts/0        192.168.1.6      Tue Apr  2 06:02 - 06:02  (00:00)    
runlevel (to lvl 5)   3.10.0-957.el7.x Tue Apr  2 06:00 - 23:52  (17:52)    
reboot   system boot  3.10.0-957.el7.x Tue Apr  2 06:00 - 00:30  (18:30)    
daygeek  pts/1        192.168.1.6      Sat Mar 30 10:05 - 00:18  (14:13)    
daygeek  pts/0        192.168.1.6      Sat Mar 30 04:14 - 11:21  (07:07)    
runlevel (to lvl 5)   3.10.0-957.el7.x Sat Mar 30 04:03 - 06:00 (3+01:56)   
reboot   system boot  3.10.0-957.el7.x Sat Mar 30 04:03 - 00:30 (3+20:27)   

wtmp begins Fri Feb 15 16:03:13 2019

Alternatively, this can be verified via /var/log/secure and /var/log/auth.log file.

For RHEL based systems.

# cat /var/log/secure-20190331 | grep Accepted | awk '{print $1,$2,$3,$9}'

Mar 29 01:38:41 daygeek
Mar 29 01:48:21 daygeek
Mar 29 02:01:13 user3
Mar 29 02:10:21 user1
Mar 29 02:10:38 user2
Mar 29 02:19:13 ladmin
Mar 30 04:14:54 daygeek
Mar 30 10:05:02 daygeek

For Ubuntu based systems.

# cat /var/log/auth.log | grep Accepted | awk '{print $1,$2,$3,$9}'

For failed attempts.

# cat /var/log/secure-20190331 | grep Failed | awk '{print $1,$2,$3,$11}'

Mar 29 01:53:48 user1
Mar 29 02:00:43 user2
Mar 29 02:12:58 ladmin
Mar 29 02:17:41 user1

The lastlog command reports the most recent login of all users. This is very useful if you would like to check which users are not login the server more than 30 to 60 days.

# lastlog

Username         Port     From             Latest
root             pts/0                     Sat Mar 30 08:04:27 -0500 2019
bin                                        **Never logged in**
daemon                                     **Never logged in**
adm                                        **Never logged in**
lp                                         **Never logged in**
sync                                       **Never logged in**
shutdown                                   **Never logged in**
halt                                       **Never logged in**
mail                                       **Never logged in**
ftp                                        **Never logged in**
nobody                                     **Never logged in**
systemd-network                            **Never logged in**
dbus                                       **Never logged in**
rpcuser                                    **Never logged in**
nfsnobody                                  **Never logged in**
chrony                                     **Never logged in**
qemu                                       **Never logged in**
tss                                        **Never logged in**
ntp                                        **Never logged in**
sssd                                       **Never logged in**
gdm              :0                        Tue Apr  2 23:52:49 -0500 2019
gnome-initial-setup                           **Never logged in**
sshd                                       **Never logged in**
avahi                                      **Never logged in**
postfix                                    **Never logged in**
tcpdump                                    **Never logged in**
daygeek          pts/0    192.168.1.6      Wed Apr  3 00:02:50 -0500 2019
user1            pts/2    192.168.1.6      Fri Mar 29 02:10:22 -0500 2019
cat                                        **Never logged in**
user2            pts/2    192.168.1.6      Fri Mar 29 02:10:38 -0500 2019
apache                                     **Never logged in**
mysql                                      **Never logged in**
user3            pts/2    192.168.1.6      Fri Mar 29 02:01:13 -0500 2019
ladmin           pts/2    192.168.1.6      Fri Mar 29 02:19:13 -0500 2019