Who, when and from where? Good security practice states that you should know who has accessed your Linux computer. We’ll show you how.
The wtmp file
Linux and other Unix-like operating systems such as MacOS are very good at logging. Somewhere inside the system there is a log for pretty much anything you can think of. The log file we are interested in is called
wtmp. The “w” could stand for “when” or “who” – nobody seems to agree. The “tmp” part probably stands for “temporary”, but could also stand for “timestamp”.
What we know is that
wtmp is a log that captures and records every login and logout event. Verification of the data in
wtmp log is a fundamental step in taking a security-conscious approach to your system admin Tasks. For a typical family computer, this may not be as critical for security reasons, but it is interesting to be able to review your combined use of the computer.
Unlike many text-based log files in Linux
wtmp is a binary file. In order to access the data contained in it, we will need to use a tool designed for this task.
This tool is that
The last command
last Command reads data from the
wtmp log and displays it in a terminal window.
When you type
last and press Enter it will show all records from the log file.
Each record of
wtmp is displayed in the terminal window.
From left to right, each line contains:
- The username of the person who signed in.
- The terminal you were logged on to. A terminal entry of
:0means that they were logged into the Linux computer itself.
- The IP address of the computer you were logged on to.
- The login time and date stamp.
- The length of the session.
The last line tells us the date and time of the earliest recorded session in the log.
Each time the computer boots up, a login entry for the fictitious user ‘reboot’ is entered in the log. The terminal field is replaced by the kernel version. The length of the logged in session for these entries represents the computer’s uptime.
Display a certain number of lines
last Command alone creates a dump of the entire log, with most of it rushing past the terminal window. The part that remains visible is the earliest data in the log. This is probably not what you wanted to see.
You can say
last to give you a certain number of lines of output. To do this, enter the desired number of lines in the command line. Notice the hyphen. To see five lines you need to type
-5 and not
This gives the first five lines of the log, which are the most recent data.
View network names for remote users
-d (Domain Name System) option says
last to try to resolve remote users’ IP addresses to a computer or network name.
It’s not always possible for
last to convert the IP address to a network name, but the command will do it if it can.
Hide IP addresses and network names
If you are not interested in the IP address or network name, use the
-R (no host name) Option to suppress this field.
Because this produces cleaner output with no ugly breaks, this option was used in all of the following examples. If you have used
last you would not suppress this field to identify unusual or suspicious activity.
Select records by date
You can use the …
-s (since) Option to restrict the output so that only login events are displayed that have occurred since a certain date.
If you only want to see login events that happened after May 26th, 2019, use the following command:
last -R -s 2019-05-26
The output shows records with login events that occurred from 00:00 on the specified day to the most recent records in the log file.
Search up to an end date
You can use the …
-t (to) to indicate an end date. This allows you to choose a set of credentials that happened between two dates of interest.
This command asks
last to call up and display the login data records from 00:00 (dawn) on the 27th to 00:00 (dawn). This restricts the listing to login sessions that only took place on the 26th.
Time and date formats
You can use both times and dates with the
The different time formats that can be used with the. can be used
last Options that use dates and times are (supposedly):
- YYYY-MM-DD hh: mm: ss
- YYYY-MM-DD hh: mm – seconds are set to 00. set
- YYYY-MM-DD – time is 00:00:00. set
- hh: mm: ss – the date is set to today
- hh: mm – date is set to today, seconds to 00
- yesterday – time is set to 00:00:00
- today – time is set to 00:00:00
- tomorrow – the time is set to 00:00:00
- + 5min
- -5 days
The second and third formats in the list did not work during the research for this article. These commands have been tested on Ubuntu, Fedora, and Manjaro distributions. These are derivatives of the Debian, RedHat and Arch distributions. That covers all major families of the Linux distribution.
last -R -s 2019-05-26 11:00 -t 2019-05-27 13:00
As you can see, the command did not return any records at all.
Using the first date and time format from the list with the same date and time as the previous command returns records:
last -R -s 20190526110000 -t 20190527130000
Search for relative units
They also indicate periods of time, measured in minutes or days, related to the current date and time. Here we ask for records from two days ago to one day ago.
last -R -s -2days -t -1days
Yesterday, today and today
You can use
tomorrow as an abbreviation for yesterday’s date and today’s date.
last -R -s yesterday -t today
Not that this doesn’t contain any records for today. That is the expected behavior. The command requests records from the start date to the end date. It does not contain any records within the end date.
now Option is the abbreviation for “today at the current time”. To view the login events that have occurred from 00:00 (dawn) to the time the command was issued, use this command:
last -R -s today -t now
This will display all login events up to the current point in time, including those who are still logged in.
The current option
-p With the option (present) you can find out who was logged in at a certain point in time.
It doesn’t matter when they signed in or out, but if they were signed in to the computer at the time you specified, they will be added to the list.
If you specify a time without a date
last assumes you mean “today”.
last -R -p 09:30
People who are (obviously) still logged in have no logout time; they are described as
still logged in . If the computer has not restarted since the time you specified, it will be listed as a. listed
If you use that
now Short form with the
-p (available) you can find out who is logged in at the time the command is issued.
last -R -p now
This is a bit of a tedious way to go about achieving what can be achieved with the
How to determine the current user account on Linux
The last command
lastb Command deserves a mention. It reads data from a log called
btmp. There is a little more consensus on this protocol name. The ‘b’ stands for bad, but the ‘tmp’ part is still under discussion.
lastb lists the failed (failed) login attempts. It accepts the same options as
last. Since the login attempts were unsuccessful, all entries have a duration of 00:00.
You have to use
sudo lastb -R
The last Word to this topic
Knowing who logged into your Linux computer, when and from where, is useful information. Combine this with the details of any failed login attempts to get you started investigating suspicious behavior.