‘last’ Command in Linux | System Administration Tutorial

Have you ever found yourself curious about the last logged in users on your Linux system? You’re not alone. Many system administrators find it crucial to keep track of this information for security and auditing purposes. Think of the ‘last’ command in Linux as a vigilant security guard, always ready to report on the recent activity in your system. This tool helps you track user login history and provides a wealth of information that can be vital for system administration, security audits, and even troubleshooting.

In this guide, we’ll walk you through the usage of the ‘last’ command in Linux, from basic to advanced levels. We’ll cover everything from the basics of the ‘last’ command, its various options, to more advanced techniques and alternative approaches.

So, let’s dive in and start mastering the ‘last’ command in Linux!

TL;DR: What Does the ‘Last’ Command Do in Linux?

The 'last' command in Linux is used to display the history of last logged in users. It can be called byitself or used with the syntax, last [arguments] [parameters].

Here’s a simple usage:

last

Running this command will list the login history in your terminal, showing you a list of the last logged in users.

# Output:
# user1   pts/0        192.168.1.10    Mon Sep 27 10:30   still logged in
# user2   pts/1        192.168.1.11    Mon Sep 27 09:45 - 10:00  (00:15)

In this example, ‘user1’ is currently logged in from the IP address ‘192.168.1.10’, and ‘user2’ was logged in from ‘192.168.1.11’ but has since logged out.

This is just a basic way to use the ‘last’ command in Linux, but there’s much more to learn about tracking user activity and managing system security. Continue reading for more detailed information and advanced usage scenarios.

Getting Started with the ‘Last’ Command in Linux

The ‘last’ command in Linux is a powerful tool for system administrators. At its most basic, it displays the last logged in users on your system. But how does it work? Let’s break it down.

When you type ‘last’ into your terminal and press enter, the command reads the /var/log/wtmp file. This file logs every login and logout activity on your system.

Let’s see it in action:

last -n 5

This command will display the last five login records.

# Output:
# user1   pts/0        192.168.1.10    Mon Sep 27 10:30   still logged in
# user2   pts/1        192.168.1.11    Mon Sep 27 09:45 - 10:00  (00:15)
# user3   pts/2        192.168.1.12    Mon Sep 27 09:30 - 09:45  (00:15)
# user4   pts/3        192.168.1.13    Mon Sep 27 09:15 - 09:30  (00:15)
# user5   pts/4        192.168.1.14    Mon Sep 27 09:00 - 09:15  (00:15)

In this output, you can see the username, the terminal from which they logged in, their IP address, the login time, and the duration of their session.

The ‘last’ command is a great way to keep track of who’s been using your system and when. However, it’s not without its pitfalls. For instance, the /var/log/wtmp file can become very large over time, which can slow down the ‘last’ command. It’s a good practice to archive and clear this file periodically to keep your system running smoothly.

Advanced Uses of the ‘Last’ Command in Linux

As you become more comfortable with the basic ‘last’ command, you’ll find that its true power lies in its advanced features. The ‘last’ command’s flexibility allows it to handle more complex tasks, such as using different flags or options. Let’s explore some of these advanced uses.

Before we dive into the advanced usage of ‘last’, let’s familiarize ourselves with some of the command-line arguments or flags that can modify the behavior of the ‘last’ command. Here’s a table with some of the most commonly used ‘last’ arguments.

Now that we have a basic understanding of ‘last’ command line arguments, let’s dive deeper into the advanced use of ‘last’.

Using the ‘-n’ Argument

The ‘-n’ argument allows you to limit the number of lines displayed. For instance, to display the last five login records, you would use:

last -n 5

# Output:
# user1   pts/0        192.168.1.10    Mon Sep 27 10:30   still logged in
# user2   pts/1        192.168.1.11    Mon Sep 27 09:45 - 10:00  (00:15)
# user3   pts/2        192.168.1.12    Mon Sep 27 09:30 - 09:45  (00:15)
# user4   pts/3        192.168.1.13    Mon Sep 27 09:15 - 09:30  (00:15)
# user5   pts/4        192.168.1.14    Mon Sep 27 09:00 - 09:15  (00:15)

This is especially helpful when you have a large number of login records and you only want to see the most recent ones.

Displaying IP Addresses with ‘-i’

The ‘-i’ argument is used to display IP addresses in the dot notation, which can be more readable. Here’s how to use it:

last -i

# Output:
# user1   pts/0        192.168.1.10    Mon Sep 27 10:30   still logged in
# user2   pts/1        192.168.1.11    Mon Sep 27 09:45 - 10:00  (00:15)

This is particularly useful when trying to track the source of a login.

Viewing System Shutdown Entries with ‘-x’

The ‘-x’ argument allows you to view system shutdown entries and run level changes, which can be important for troubleshooting:

last -x

# Output:
# shutdown  system down  2.6.32-696.18.7 Mon Sep 27 10:00 - 10:30  (00:30)
# user1     pts/0        192.168.1.10    Mon Sep 27 09:45 - down   (00:15)

This gives you a more complete picture of what’s happening on your system.

The ‘last’ command is a powerful tool when used effectively. By understanding and using these advanced features, you can gain a deeper insight into your system’s activity and improve your system administration skills.

Exploring Alternative Commands: ‘lastb’ and More

While the ‘last’ command is a powerful tool for tracking user activity, there are alternative commands in Linux that provide similar results. One of these is the ‘lastb’ command, which specifically tracks failed login attempts. This can be particularly useful for identifying potential security threats.

Tracking Failed Logins with ‘lastb’

The ‘lastb’ command works similarly to ‘last’, but instead of reading from the /var/log/wtmp file, it reads from the /var/log/btmp file, which logs all failed login attempts. Here’s an example of how to use ‘lastb’:

lastb -n 5

This command will display the last five failed login attempts.

# Output:
# user1   ssh:notty    192.168.1.15    Mon Sep 27 10:45 - 10:45  (00:00)
# user2   ssh:notty    192.168.1.16    Mon Sep 27 10:30 - 10:30  (00:00)
# user3   ssh:notty    192.168.1.17    Mon Sep 27 10:15 - 10:15  (00:00)
# user4   ssh:notty    192.168.1.18    Mon Sep 27 10:00 - 10:00  (00:00)
# user5   ssh:notty    192.168.1.19    Mon Sep 27 09:45 - 09:45  (00:00)

In this output, you can see the username, the method of login attempt (in this case, ssh), their IP address, and the time of the failed attempt.

The ‘lastb’ command can be a valuable tool for identifying potential security threats, such as repeated failed login attempts from a particular IP address. By regularly monitoring failed login attempts, system administrators can take proactive steps to secure their systems.

The ‘last’ and ‘lastb’ commands are just two examples of the powerful tools available in Linux for monitoring user activity. By understanding and using these commands effectively, you can gain a deeper insight into your system’s activity and improve your system administration skills.

Troubleshooting Common Issues with the ‘Last’ Command

While the ‘last’ command is a reliable tool for tracking user activity in Linux, it’s not without its quirks. Let’s discuss some common issues you may encounter while using ‘last’ and how to solve them.

Slow Performance Due to Large Log Files

One common issue is slow performance when the ‘last’ command is used on a system with large log files. This is because ‘last’ reads from the /var/log/wtmp file, which can become quite large on systems with heavy user activity. Here’s an example of how you might identify this problem:

ls -lh /var/log/wtmp

# Output:
# -rw-rw-r-- 1 root utmp 2.1G Sep 27 11:00 /var/log/wtmp

In this example, the /var/log/wtmp file is over 2GB, which could slow down the ‘last’ command. To solve this issue, you can archive and clear the /var/log/wtmp file periodically. Here’s how you might do this:

cp /var/log/wtmp /var/log/wtmp.backup
> /var/log/wtmp

This will create a backup of the /var/log/wtmp file and then clear it. The ‘last’ command should now perform much faster.

No Records Found

Another common issue is the ‘No entries’ message. This happens when there are no login records in the /var/log/wtmp file. Here’s an example:

last

# Output:
# No entries

This could be due to the /var/log/wtmp file being recently cleared or the system being recently rebooted. In this case, there’s not much you can do other than wait for new login activity to be logged.

Displaying Incorrect Time

The ‘last’ command displays the time of login activities based on the system’s timezone setting. If the system’s timezone is not correctly set, the times displayed by ‘last’ may be incorrect. To correct this, you need to set the correct timezone on your system.

The ‘last’ command is a powerful tool, but like any tool, it’s not without its quirks. By understanding these common issues and how to solve them, you can use the ‘last’ command more effectively.

Understanding Linux’s System Logging

System logging is a critical aspect of Linux system administration and security. It involves recording various system events, including user activity, for later review. System logs can help administrators troubleshoot problems, monitor system performance, and even detect security breaches.

Importance of Monitoring User Activity

Monitoring user activity is particularly important for maintaining system security. By keeping an eye on who’s logging into your system and what they’re doing, you can detect unauthorized access or suspicious activity. This is where the ‘last’ command comes into play.

The ‘last’ command in Linux reads the /var/log/wtmp file, which stores all login and logout activity. Here’s a simple example of how to view this file directly:

cat /var/log/wtmp | less

# Output:
# ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@reboot   ~        2.6.32-696.18.7 Mon Sep 27 10:00

In this output, you can see a ‘reboot’ entry, indicating that the system was rebooted at 10:00 on September 27th. However, the output is not very readable, which is why we use the ‘last’ command to parse this file and display the information in a more readable format.

System Logging for Security and Administration

System logging is not just about monitoring user activity. It also includes logging system events like boot sequences, system errors, and hardware status. These logs can help administrators troubleshoot problems, optimize system performance, and maintain system security.

In Linux, system logs are typically stored in the /var/log directory. Different types of logs are stored in different files. For instance, the /var/log/syslog file stores general system activity, while the /var/log/auth.log file stores authentication logs.

Here’s an example of how to view the /var/log/syslog file:

cat /var/log/syslog | less

# Output:
# Sep 27 10:00:01 localhost CRON[12345]: (root) CMD (command)

In this output, you can see a ‘CRON’ entry, indicating that a cron job was run by the ‘root’ user at 10:00 on September 27th.

System logging is a fundamental part of Linux system administration and security. By understanding how system logging works and how to use tools like the ‘last’ command, you can keep your system secure and running smoothly.

More Than Just User Tracking: The ‘Last’ Command

The ‘last’ command in Linux is a powerful tool that goes beyond simply tracking user activity. Its relevance extends to various areas of system administration, including security audits, troubleshooting, and more.

The Role of ‘Last’ in System Administration

In system administration, the ‘last’ command is a valuable tool for maintaining the health of your system. By providing a detailed log of user activity, it allows administrators to track usage patterns, identify potential issues, and even forecast system needs. This can be crucial in managing resources, planning system upgrades, and ensuring optimal performance.

last -F

# Output:
# user1   pts/0        192.168.1.10    Mon Sep 27 10:30:00 2021 - still logged in
# user2   pts/1        192.168.1.11    Mon Sep 27 09:45:00 2021 - Mon Sep 27 10:00:00 2021  (00:15)

In this example, the ‘-F’ option is used to print full login and logout times and dates, providing a more detailed record of user activity.

‘Last’ Command for Security Audits

From a security perspective, the ‘last’ command is a key player in conducting security audits. By reviewing login history, administrators can identify any unauthorized access attempts or suspicious activities. This information can be used to reinforce security measures and protect the system from potential threats.

last -i -n 10

# Output:
# user1   pts/0        192.168.1.10    Mon Sep 27 10:30   still logged in
# user2   pts/1        192.168.1.11    Mon Sep 27 09:45 - 10:00  (00:15)
# ...

In this example, the ‘-i’ and ‘-n’ options are used to display the IP addresses in dot notation and limit the output to the last 10 records, respectively. This can help in pinpointing any unusual login patterns.

Further Resources for Mastering Linux Commands

To further enhance your understanding of the ‘last’ command and other related concepts like system logging and user management, consider exploring the following resources:

1. The Linux Documentation Project: A comprehensive resource for all things Linux, including detailed guides on various commands and system administration topics.

2. Guide on Linux last Command: This guide by JavaTpoint covers the various options and formats of the last command, including how to filter the output and interpret the information provided.

3. Unix & Linux Stack Exchange: A question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems. It’s a great place to learn from experienced users and get answers to specific questions.

Wrapping Up: Mastering the ‘Last’ Command in Linux

In this comprehensive guide, we’ve delved into the ‘last’ command in Linux, a powerful tool for tracking user activity. This command offers a window into your system’s usage, providing valuable insights for system administration and security.

We started with the basics, understanding how to use the ‘last’ command to display the last logged in users on your system. We then explored more complex uses of the ‘last’ command, such as using different flags or options to modify the command’s output or behavior.

We also discussed alternative approaches, introducing the ‘lastb’ command for tracking failed login attempts. This command, while similar to ‘last’, provides additional security insights by focusing on unsuccessful login attempts.

Along the way, we tackled common issues you might encounter while using ‘last’, such as slow performance due to large log files or the ‘No entries’ message when there are no login records. We provided solutions for these challenges, ensuring you can use the ‘last’ command effectively.

Here’s a quick comparison of the methods we’ve discussed:

Whether you’re a beginner just starting out with Linux commands or an experienced system administrator looking for a refresher, we hope this guide has helped you understand and master the ‘last’ command in Linux.

With its ability to track user activity, the ‘last’ command is an indispensable tool for maintaining system security and performance. Happy Linux-ing!