How to use the last command on Linux

Who, when and from where? Good security practice states that you should know who has accessed your Linux computer. We’ll show you how.

The wtmp file

Linux and other Unix-like operating systems such as MacOS are very good at logging. Somewhere inside the system there is a log for pretty much anything you can think of. The log file we are interested in is called wtmp. The “w” could stand for “when” or “who” – nobody seems to agree. The “tmp” part probably stands for “temporary”, but could also stand for “timestamp”.

What we know is that wtmp is a log that captures and records every login and logout event. Verification of the data in wtmp log is a fundamental step in taking a security-conscious approach to your system admin Tasks. For a typical family computer, this may not be as critical for security reasons, but it is interesting to be able to review your combined use of the computer.

Unlike many text-based log files in Linux wtmp is a binary file. In order to access the data contained in it, we will need to use a tool designed for this task.

This tool is that last Command.

The last command

the last Command reads data from the wtmp log and displays it in a terminal window.


When you type last and press Enter it will show all records from the log file.

last

Each record of wtmp is displayed in the terminal window.

From left to right, each line contains:

  • The username of the person who signed in.
  • The terminal you were logged on to. A terminal entry of :0 means that they were logged into the Linux computer itself.
  • The IP address of the computer you were logged on to.
  • The login time and date stamp.
  • The length of the session.

The last line tells us the date and time of the earliest recorded session in the log.

Each time the computer boots up, a login entry for the fictitious user ‘reboot’ is entered in the log. The terminal field is replaced by the kernel version. The length of the logged in session for these entries represents the computer’s uptime.

Display a certain number of lines

Use of last Command alone creates a dump of the entire log, with most of it rushing past the terminal window. The part that remains visible is the earliest data in the log. This is probably not what you wanted to see.

You can say last to give you a certain number of lines of output. To do this, enter the desired number of lines in the command line. Notice the hyphen. To see five lines you need to type -5 and not 5:

last -5


This gives the first five lines of the log, which are the most recent data.

View network names for remote users

the -d (Domain Name System) option says last to try to resolve remote users’ IP addresses to a computer or network name.

last -d

It’s not always possible for last to convert the IP address to a network name, but the command will do it if it can.

Hide IP addresses and network names

If you are not interested in the IP address or network name, use the -R (no host name) Option to suppress this field.

Because this produces cleaner output with no ugly breaks, this option was used in all of the following examples. If you have used last you would not suppress this field to identify unusual or suspicious activity.

Select records by date

You can use the … -s (since) Option to restrict the output so that only login events are displayed that have occurred since a certain date.


If you only want to see login events that happened after May 26th, 2019, use the following command:

last -R -s 2019-05-26

The output shows records with login events that occurred from 00:00 on the specified day to the most recent records in the log file.

Search up to an end date

You can use the … -t (to) to indicate an end date. This allows you to choose a set of credentials that happened between two dates of interest.

This command asks last to call up and display the login data records from 00:00 (dawn) on the 27th to 00:00 (dawn). This restricts the listing to login sessions that only took place on the 26th.

Time and date formats

You can use both times and dates with the -s and -t Options.

The different time formats that can be used with the. can be used last Options that use dates and times are (supposedly):

  • YYYYMMDDhhmmss
  • YYYY-MM-DD hh: mm: ss
  • YYYY-MM-DD hh: mm – seconds are set to 00. set
  • YYYY-MM-DD – time is 00:00:00. set
  • hh: mm: ss – the date is set to today
  • hh: mm – date is set to today, seconds to 00
  • now
  • yesterday – time is set to 00:00:00
  • today – time is set to 00:00:00
  • tomorrow – the time is set to 00:00:00
  • + 5min
  • -5 days

Why “supposedly”?


The second and third formats in the list did not work during the research for this article. These commands have been tested on Ubuntu, Fedora, and Manjaro distributions. These are derivatives of the Debian, RedHat and Arch distributions. That covers all major families of the Linux distribution.

last -R -s 2019-05-26 11:00 -t 2019-05-27 13:00

As you can see, the command did not return any records at all.

Using the first date and time format from the list with the same date and time as the previous command returns records:

last -R -s 20190526110000 -t 20190527130000

Search for relative units

They also indicate periods of time, measured in minutes or days, related to the current date and time. Here we ask for records from two days ago to one day ago.

last -R -s -2days -t -1days

Yesterday, today and today

You can use yesterday and tomorrow as an abbreviation for yesterday’s date and today’s date.

last -R -s yesterday -t today

Not that this doesn’t contain any records for today. That is the expected behavior. The command requests records from the start date to the end date. It does not contain any records within the end date.


the now Option is the abbreviation for “today at the current time”. To view the login events that have occurred from 00:00 (dawn) to the time the command was issued, use this command:

last -R -s today -t now

This will display all login events up to the current point in time, including those who are still logged in.

Output of last -R -s today -t now

The current option

the -p With the option (present) you can find out who was logged in at a certain point in time.

It doesn’t matter when they signed in or out, but if they were signed in to the computer at the time you specified, they will be added to the list.

If you specify a time without a date last assumes you mean “today”.

last -R -p 09:30

People who are (obviously) still logged in have no logout time; they are described as still logged in . If the computer has not restarted since the time you specified, it will be listed as a. listed still running.

Issued from the last -R -p 09:30


If you use that now Short form with the -p (available) you can find out who is logged in at the time the command is issued.

last -R -p now

This is a bit of a tedious way to go about achieving what can be achieved with the who Command.

How to determine the current user account on Linux

The last command

the lastb Command deserves a mention. It reads data from a log called btmp. There is a little more consensus on this protocol name. The ‘b’ stands for bad, but the ‘tmp’ part is still under discussion.

lastb lists the failed (failed) login attempts. It accepts the same options as last. Since the login attempts were unsuccessful, all entries have a duration of 00:00.

You have to use sudo with lastb.

sudo lastb -R

The last Word to this topic

Knowing who logged into your Linux computer, when and from where, is useful information. Combine this with the details of any failed login attempts to get you started investigating suspicious behavior.

Related Posts