When we manage a multi-user system, we’ll often want to get detailed information about login activities.
In this tutorial, we’ll learn by example how to get login related information using the last and lastb commands.
2. Introduction to last and lastb
The last command displays information about the last logged-in users. It’s pretty convenient and handy when we need to track login activities or investigate a possible security breach.
The last command will, by default, take the system log file /var/log/wtmp as the data source to generate reports.
wtmp is a binary file on *nix operating systems that maintains a history of all login and logout activities.
The syntax of using the last command is:
last [options] [username...] [tty...]
The lastb command is the same as the last command, except that, by default, it searches through the /var/log/btmp file, which contains all the bad login attempts
Regular users don’t have read permission on the /var/log/btmp file:
$ ls -l /var/log/btmp -rw-rw---- 1 root utmp 1152 Apr 5 00:04 /var/log/btmp
Therefore, only the root user can get the report of bad login attempts using the lastb command.
3. Understand the Output
If we run the last command without any options, it will generate a report of the history of all logins:
$ last reboot system boot 5.5.13-arch2-1 Fri Apr 10 08:02 still running kent pts/0 192.168.0.63 Tue Apr 7 22:01 - 23:03 (01:02) reboot system boot 5.5.8-arch1-1 Tue Mar 10 20:49 - 20:49 (00:00) kent pts/5 tmux(6716).%6 Thu Mar 26 18:58 - 19:01 (7+23:02) root tty1 Fri Feb 21 18:45 - down (00:01) kent pts/0 22.214.171.124 Thu Feb 20 11:39 - 11:43 (00:04) guest pts/0 192.168.0.63 Sun Jan 26 19:15 - 21:32 (02:17) kent pts/2 tmux(2044).%1 Wed Jan 8 22:39 - 01:09 (02:29) ....
Now, let’s take a look at the generated login report above and understand the meaning of each column:
The 1st column shows the name of the user who’s logged in.
The 2nd column indicates how the user is connected to the system, for example, via pts (pseudo-terminal) or tty (teletypewriter). But if it was a reboot activity, system boot will be shown.
The 3rd column tells where the user connected from. The value could be:
- a hostname or an IP address – if the user connected from a remote computer
- empty value – if the user connected via a tty
- a kernel version – if it’s a reboot activity
- some application-specific value – for example, tmux(6716).%6 means ProcessName(PID).WindowID
The 4th column reports when the login activity occurred.
The 5th column shows the logout time. It could be the following values:
- a timestamp – if the user has logged out
- still running- if the system boot is still running
- still logged in – if the user is still logged in
- down – the system is shut down normally
- crash – if there is no logout entry in the /var/log/wtmp file; this usually means the system crashed
The last column tells us how long the user has logged in in a format of (Hours: Minutes).
4. Limit the Number of Lines in the Output
A multi-user system very likely can have many login entries recorded in the wtmp file. If we just want to examine several of the most recent login activities, we can use the -n option to limit the lines in the output of the last command:
$ last -n 5 kent pts/0 192.168.0.63 Sat Apr 11 14:58 still logged in kent pts/0 192.168.0.63 Sat Apr 11 12:28 - 14:31 (02:03) kent pts/0 192.168.0.63 Sat Apr 11 12:07 - 12:09 (00:02) kent pts/0 192.168.0.63 Sat Apr 11 11:59 - 12:01 (00:01) kent pts/0 192.168.0.63 Sat Apr 11 11:50 - 11:50 (00:00) wtmp begins Sun Dec 15 18:56:55 2013
5. Suppress the IP Address or Hostname Column in the Output
We’ve learned earlier that the 3rd column in the output of the last command can contain the information where the user came from: the IP address, hostname, or a kernel version if it’s a system boot activity.
In case we want to suppress this information, we can use the -R option:
$ last -n 5 -R kent pts/0 Sat Apr 11 14:58 still logged in kent pts/0 Sat Apr 11 12:28 - 14:31 (02:03) kent pts/0 Sat Apr 11 12:07 - 12:09 (00:02) kent pts/0 Sat Apr 11 11:59 - 12:01 (00:01) kent pts/0 Sat Apr 11 11:50 - 11:50 (00:00) wtmp begins Sun Dec 15 18:56:55 2013
6. List the Login Activities in a Specific Time Period
The last command supports the -s (since) and -t (until) options so that we can let it print login entries in a specific time period.
For example, we can get the login activity only for yesterday:
$ last -s yesterday -t today kent pts/0 192.168.0.63 Fri Apr 10 11:31 - 11:31 (00:00) wtmp begins Sun Dec 15 18:56:55 2013
The -s and -t options accept following time formats:
- YYYYMMDDhhmmss – e.g. 19920808180808
- YYYY-MM-DD hh:mm:ss – e.g. 1992-08-08 18:08:08
- YYYY-MM-DD hh:mm (seconds will default to 00)
- YYYY-MM-DD (time will default to midnight)
- hh:mm:ss (date will default to today)
- hh:mm (date will default to today, seconds to 00)
In the example of the last command above, we passed two aliases, yesterday and today, to the -s and -t options. Aliases make the command straightforward to understand.
The last command supports four aliases:
- yesterday (time is set to midnight)
- today (time is set to midnight)
- tomorrow (time is set to midnight)
We can also pass a relative time to the -s or the -t option.
For example, if we want to get login activities within the last five days:
$ last -s -5days kent pts/0 192.168.0.63 Sat Apr 11 14:58 still logged in kent pts/0 192.168.0.63 Sat Apr 11 12:28 - 14:31 (02:03) kent pts/0 192.168.0.63 Sat Apr 11 12:07 - 12:09 (00:02) ... wtmp begins Sun Dec 15 18:56:55 2013
7. Display Login Entries Only From Specific Users
Sometimes we want to investigate the login activities from specific users. To do that, we can pass usernames to the last command.
For example, we would like to check the login entries of the users guest and root:
$ last guest root guest tty3 Sat Apr 11 12:14 still logged in root tty2 Wed Aug 15 23:07 - 23:08 (00:00) guest tty2 Sat Dec 26 00:36 - 00:36 (00:00) root tty1 Sat Apr 19 00:28 - crash (00:07) root pts/2 localhost.locald Thu Mar 20 00:23 - 00:23 (00:00) root tty1 Thu Dec 19 21:42 - down (00:00) root pts/0 192.168.0.103 Sun Dec 15 21:32 - down (00:02) root tty1 Sun Dec 15 18:57 - down (02:33) ... wtmp begins Sun Dec 15 18:56:55 2013
8. Display Entries of Run Level Changes Only
We can pass the -x option to the last command to get login entries of run level changes. For example, system reboots and shutdowns:
$ last -x reboot system boot 5.5.8-arch1-1 Thu Mar 26 18:58 - 19:01 (7+23:02) shutdown system down 5.5.8-arch1-1 Wed Mar 25 20:02 - 20:02 (00:00) reboot system boot 5.4.10-arch1-1 Mon Jan 27 20:07 - 21:11 (01:04) shutdown system down 5.4.10-arch1-1 Mon Jan 27 18:57 - 20:07 (01:09) reboot system boot 5.4.10-arch1-1 Sun Jan 12 22:07 - 18:57 (14+20:50) kent tty2 Sun Dec 15 18:24 - down (00:03) .... wtmp begins Sun Dec 15 18:56:55 2013
9. View Bad Login Attempts
We’ve talked about the lastb command briefly. It works the same as the last command. The only difference is, the lastb command just lists the failed login attempts:
root# lastb guest pts/6 Sat Apr 11 12:11 - 12:11 (00:00) guest pts/6 Sat Apr 11 12:11 - 12:11 (00:00) guest pts/6 Sat Apr 11 12:10 - 12:10 (00:00) guest pts/1 Sun Apr 5 00:04 - 00:04 (00:00) guest pts/1 Sun Apr 5 00:04 - 00:04 (00:00) guest pts/1 Sun Apr 5 00:03 - 00:03 (00:00) btmp begins Sun Apr 5 00:03:55 2020
The last and the lastb commands are very important in Linux administration since they help for the audit trail.
In this article, we’ve learned by example the common usages of these commands.