LinuxCommandLibrary

last

Show user login/logout history

TLDR

View last login infromation (e.g., username, terminal, boot time, kernel) of all users as read from /var/log/wtmp

$ last
copy

List login information of a specific user
$ last [username]
copy

Specify how many of the last logins to show
$ last [[-n|--limit]] [login_count]
copy

Print the full date and time for entries and then display the hostname column last to prevent truncation
$ last [[-F|--fulltimes]] [[-a|--hostlast]]
copy

View all logins by a specific user and show the IP address instead of the hostname
$ last [username] [[-i|--ip]]
copy

List information since a specific time and date
$ last [[-s|--since]] [-7days]
copy

View all recorded reboots (i.e., the last logins of the pseudo user "reboot")
$ last reboot
copy

Display help
$ last [[-h|--help]]
copy

SYNOPSIS

last [options]... [username...]

PARAMETERS

-a
    Display hostname in the first data column (before TTY)

-F
    Print full login and logout times and dates

-f file
    Read entries from file instead of /var/log/wtmp

-h
    Suppress hostname/IP column

-i
    With -h, display IP addresses instead of hostnames

-n number or number
    Limit output to number lines (default unlimited)

-s time
    Start listing at entries after time (YYYYMMDDhhmmss)

-t tty...
    Display entries for specified TTY(s) only

-u user...
    Display entries for specified user(s) only

-x
    Extended format: separate lines for login/logout, include run-level changes

-time
    Stop listing at entries before time (YYYYMMDDhhmmss)

DESCRIPTION

The last command examines the /var/log/wtmp file (and its rotations like wtmp.1) to display a history of recent user logins, logouts, reboots, and shutdowns on a Unix-like system. It lists entries in reverse chronological order (most recent first), providing insights into system access patterns, session durations, and remote hosts.

Each line typically shows: username, terminal (e.g., pts/0, tty1), remote host or IP, start time, and session duration (or 'still logged in' for active sessions). Reboots appear as 'reboot system boot ...' and shutdowns similarly.

This tool is invaluable for system administrators tracking user activity, investigating security incidents, or auditing usage. It processes binary utmp/wtmp records generated by login daemons, su, ssh, and X displays. Without options, it shows all entries until the file end or a limit.

Filtering by user, time, TTY, or host refines output. Extended modes add details like session open/close events. Note that last does not access current utmp (/var/run/utmp) for active users; use who for that.

Output is paged if lengthy, and large wtmp files can slow it down.

CAVEATS

wtmp files can grow large and rotate; incomplete if cleared. Root can manipulate logs. Does not show current sessions (use who). Time format assumes local timezone. Graphical logins may appear as ':0' TTY.

SAMPLE OUTPUT

user pts/2 192.168.1.100 Fri Dec 1 09:15 - 10:30 (01:15)
root tty1 Fri Dec 1 08:00 still logged in

TIME SPECIFICATION

Use [[CC]YY]MMDDhhmm[ss] format, e.g., 20231201123000 for Dec 1, 2023 12:30:00. Relative times like today unsupported.

HISTORY

Originated in Version 7 Unix (1979) from AT&T. Maintained in util-linux package since 1990s by Red Hat; widely portable across POSIX systems with enhancements like IPv6 support in modern versions.

SEE ALSO

lastb(1), lastlog(1), who(1), w(1), utmpdump(1), utmp(5), wtmp(5)

Copied to clipboard