last

Understanding the last Command’s Functionality

The last command displays a list of recent logins and system events. By default, it shows information from the /var/log/wtmp file (or its symbolic link, often /var/run/utmp), which records user logins and system boot/shutdown events. The output provides details, including:

• Username: The user who logged in.
• TTY: The terminal or device used for login (e.g., pts/0, tty1).
• Login Time: The timestamp of the login.
• Logout Time: The timestamp of the logout (or “still logged in”).
• Duration: The length of the login session.
• IP Address: (In some cases) The IP address from which the user connected.

Basic Usage: Viewing Recent Logins

The simplest way to use last is to execute the command without any arguments:

last

This will display the most recent login entries. The number of entries shown defaults to system settings but can be controlled (see options below).

Refining Your Search with Options

The last command offers many useful options to customize the displayed information:

• -n <number>: Limits the output to the specified number of lines. For example, to see only the last 10 logins:

last -n 10

• -f <file>: Specifies an alternative log file to read from. This allows you to inspect different system logs, though caution is advised when working with files other than /var/log/wtmp. Note: This file might not exist depending on your system configuration.

• -i: Ignores the entries from system boot and shutdown. This filters the output and shows only user login entries.

• -t: Display boot and shutdown records only.

• -x: Shows more detailed information, including runlevel changes.

• <username>: Displays only the login history of a specific user:

last john.doe

This will show all login attempts for the user “john.doe.”

• <tty>: Displays login records for a specific terminal. This is useful for investigating logins from a particular physical console or virtual terminal:

last tty1

Combining Options for Powerful Analysis

The true power of last lies in combining these options. For instance, to view the last 5 logins for the user “alice” from a specific TTY, you would use:

last -n 5 alice pts/0

To see only the last 20 login entries excluding boot and shutdown:

last -n 20 -i

Inspecting a custom log file for a particular user:

last -f /path/to/custom.log user1

By mastering these options, you gain a granular level of control over the system login history analysis. This allows for efficient investigation of security breaches, performance issues related to user activity, and troubleshooting login problems. Remember to use appropriate caution when examining system logs and always respect file permissions.