Linux/Unix last command provide User’s login and logout timings. This helps to find out who recently used system, this further helps to relate things happened on system with their timings.

last command used to search User’s login from /var/log/wtmp file. When last catches a SIGINT signal (generated by the interrupt key, usually control-C) or a SIGQUIT signal (generated by the quit key, usually control-\), last will show how far it has searched through the file; in the case of the SIGINT signal last will then terminate.



Syntax

#last #last User-name #last reboot #last -x shutdown #last tty1

let see some of examples and their description.

Simple ” last “ command will show Users login as described in below image

[root@srv103 ~]# last | head root pts/0 192.168.0.1 Sun Jan 3 09:39 still logged in reboot system boot 2.6.32-431.el6.x Sun Jan 3 09:31 - 09:40 (00:08) root pts/1 192.168.0.1 Sat Jan 2 23:03 - crash (10:27) root pts/0 192.168.0.1 Sat Jan 2 22:52 - crash (10:39) reboot system boot 2.6.32-431.el6.x Sat Jan 2 22:43 - 09:40 (10:57) root pts/1 192.168.0.1 Sat Jan 2 01:24 - down (12:30) root pts/0 192.168.0.1 Sat Jan 2 01:24 - down (12:30) root pts/0 192.168.0.1 Sat Jan 2 01:15 - 01:15 (00:00) reboot system boot 2.6.32-431.el6.x Fri Jan 1 23:09 - 13:54 (14:45) root pts/1 192.168.0.1 Thu Dec 31 22:57 - crash (1+00:11)

last command can display user specific login logout with ” last user-name”

[root@srv103 ~]# last u1 u1 pts/1 192.168.0.1 Sat Dec 26 16:47 - down (00:52) u1 pts/1 192.168.0.1 Tue Dec 22 06:47 - 06:47 (00:00) u1 pts/1 192.168.0.1 Tue Dec 22 05:25 - 05:26 (00:00) u1 pts/1 192.168.0.1 Tue Dec 22 05:21 - down (00:00) wtmp begins Mon Dec 14 04:49:16 2015

[root@srv103 ~]# last reboot reboot system boot 2.6.32-431.el6.x Sun Jan 3 09:31 - 09:45 (00:13) reboot system boot 2.6.32-431.el6.x Sat Jan 2 22:43 - 09:45 (11:02) reboot system boot 2.6.32-431.el6.x Fri Jan 1 23:09 - 13:54 (14:45) reboot system boot 2.6.32-431.el6.x Thu Dec 31 22:23 - 13:54 (1+15:31) reboot system boot 2.6.32-431.el6.x Thu Dec 31 11:22 - 13:51 (02:29) reboot system boot 2.6.32-431.el6.x Thu Dec 31 05:07 - 13:51 (08:44) reboot system boot 2.6.32-431.el6.x Wed Dec 30 03:30 - 13:51 (1+10:21) reboot system boot 2.6.32-431.el6.x Mon Dec 28 08:35 - 13:51 (3+05:16) reboot system boot 2.6.32-431.el6.x Mon Dec 28 04:35 - 13:51 (3+09:15) reboot system boot 2.6.32-431.el6.x Sun Dec 27 10:28 - 14:45 (04:17) reboot system boot 2.6.32-431.el6.x Sat Dec 26 15:34 - 17:39 (02:05) reboot system boot 2.6.32-431.el6.x Sat Dec 26 05:26 - 17:39 (12:13) reboot system boot 2.6.32-431.el6.x Fri Dec 25 10:48 - 17:39 (1+06:51) reboot system boot 2.6.32-431.el6.x Tue Dec 22 23:41 - 17:39 (3+17:57) reboot system boot 2.6.32-431.el6.x Tue Dec 22 05:22 - 17:39 (4+12:16) reboot system boot 2.6.32-431.el6.x Tue Dec 22 02:49 - 05:21 (02:32) reboot system boot 2.6.32-431.el6.x Mon Dec 21 08:31 - 09:04 (00:32) reboot system boot 2.6.32-431.el6.x Fri Dec 18 05:37 - 09:04 (3+03:27) reboot system boot 2.6.32-431.el6.x Tue Dec 15 12:15 - 12:42 (00:26) reboot system boot 2.6.32-431.el6.x Mon Dec 14 04:56 - 07:05 (02:09) reboot system boot 2.6.32-431.el6.x Mon Dec 14 04:54 - 04:55 (00:01) reboot system boot 2.6.32-431.el6.x Mon Dec 14 04:49 - 04:53 (00:04) wtmp begins Mon Dec 14 04:49:16 2015

last command can display shutdown specific record with " last -x shutdown"

[root@srv103 ~]# last -x shutdown shutdown system down 2.6.32-431.el6.x Sat Jan 2 13:55 - 22:43 (08:48) shutdown system down 2.6.32-431.el6.x Thu Dec 31 13:51 - 22:23 (08:31) shutdown system down 2.6.32-431.el6.x Sun Dec 27 14:45 - 04:35 (13:50) shutdown system down 2.6.32-431.el6.x Sat Dec 26 17:39 - 10:28 (16:48) shutdown system down 2.6.32-431.el6.x Tue Dec 22 05:21 - 05:22 (00:01) shutdown system down 2.6.32-431.el6.x Mon Dec 21 09:04 - 02:49 (17:45) shutdown system down 2.6.32-431.el6.x Tue Dec 15 12:42 - 05:37 (2+16:54) shutdown system down 2.6.32-431.el6.x Mon Dec 14 07:05 - 12:15 (1+05:10) shutdown system down 2.6.32-431.el6.x Mon Dec 14 04:55 - 04:56 (00:00) shutdown system down 2.6.32-431.el6.x Mon Dec 14 04:53 - 04:54 (00:00) wtmp begins Mon Dec 14 04:49:16 2015

last command can display console specific login and logout record with " last tty1 pts/2"

[root@srv103 ~]# last tty1 pts/2 root tty1 Sun Dec 27 12:49 - down (01:55) root pts/2 192.168.0.101 Mon Dec 14 05:46 - 06:05 (00:19) root pts/2 192.168.0.1 Mon Dec 14 05:44 - 05:44 (00:00) root tty1 Mon Dec 14 05:39 - 05:43 (00:03) root tty1 Mon Dec 14 04:54 - down (00:00) root tty1 Mon Dec 14 04:50 - down (00:02) wtmp begins Mon Dec 14 04:49:16 2015

last command can display the state of logins as of the specified time with " last -t YYYYMMDDHHMMSS"

[root@srv103 ~]# date Sun Jan 3 09:51:06 EST 2016 [root@srv103 ~]# last -t 20151214050000 root root pts/0 192.168.0.1 Mon Dec 14 04:56 gone - no logout root pts/0 192.168.0.1 Mon Dec 14 04:55 - down (00:00) root tty1 Mon Dec 14 04:54 - down (00:00) root tty1 Mon Dec 14 04:50 - down (00:02) wtmp begins Mon Dec 14 04:49:16 2015 [root@srv103 ~]#

last command can display complete detail of login logut with " last -F"

[root@srv103 ~]# last -F -t 20151228050000 u1 u1 pts/1 192.168.0.1 Sat Dec 26 16:47:17 2015 - down (00:52) u1 pts/1 192.168.0.1 Tue Dec 22 06:47:38 2015 - Tue Dec 22 06:47:43 2015 (00:00) u1 pts/1 192.168.0.1 Tue Dec 22 05:25:38 2015 - Tue Dec 22 05:26:06 2015 (00:00) u1 pts/1 192.168.0.1 Tue Dec 22 05:21:09 2015 - down (00:00) wtmp begins Mon Dec 14 04:49:16 2015

There are some other options that could be used with last listed below with their explanation.

-f file Tells last to use a specific file instead of /var/log/wtmp. -num This is a count telling last how many lines to show. -n num The same. -f file Specifies a file to search other than /var/log/wtmp. -R Suppresses the display of the hostname field. -a Display the hostname in the last column. Useful in combination with the next flag. -d For non-local logins, Linux stores not only the host name of the remote host but its IP number as well. This option translates the IP number back into a hostname. -F Print full login and logout times and dates. -i This option is like -d in that it displays the IP number of the remote host, but it displays the IP number in numbers-and-dots notation. -o Read an old-type wtmp file (written by linux-libc5 applications). -w Display full user and domain names in the output. -x Display the system shutdown entries and run level changes.