1. Overview

When we manage a multi-user system, we’ll often want to get detailed information about login activities.

In this tutorial, we’ll learn by example how to get login related information using the last and lastb commands.

2. Introduction to last and lastb

The last command displays information about the last logged-in users. It’s pretty convenient and handy when we need to track login activities or investigate a possible security breach.

The last command will, by default, take the system log file /var/log/wtmp as the data source to generate reports.

wtmp is a binary file on *nix operating systems that maintains a history of all login and logout activities.

The syntax of using the last command is:

last [options] [username...] [tty...]

The lastb command is the same as the last command, except that, by default, it searches through the /var/log/btmp file, which contains all the bad login attempts

Regular users don’t have read permission on the /var/log/btmp file:

$ ls -l /var/log/btmp
-rw-rw---- 1 root utmp 1152 Apr  5 00:04 /var/log/btmp

Therefore, only the root user can get the report of bad login attempts using the lastb command.

3. Understand the Output

If we run the last command without any options, it will generate a report of the history of all logins:

$ last
reboot   system boot  5.5.13-arch2-1   Fri Apr 10 08:02   still running
kent     pts/0        192.168.0.63     Tue Apr  7 22:01 - 23:03  (01:02)
reboot   system boot  5.5.8-arch1-1    Tue Mar 10 20:49 - 20:49  (00:00)
kent     pts/5        tmux(6716).%6    Thu Mar 26 18:58 - 19:01 (7+23:02)
root     tty1                          Fri Feb 21 18:45 - down   (00:01)
kent     pts/0        80.242.164.60    Thu Feb 20 11:39 - 11:43  (00:04)
guest    pts/0        192.168.0.63     Sun Jan 26 19:15 - 21:32  (02:17)
kent     pts/2        tmux(2044).%1    Wed Jan  8 22:39 - 01:09  (02:29)
....

Now, let’s take a look at the generated login report above and understand the meaning of each column:

The 1st column shows the name of the user who’s logged in.

The 2nd column indicates how the user is connected to the system, for example, via pts (pseudo-terminal) or tty (teletypewriter). But if it was a reboot activity, system boot will be shown.

The 3rd column tells where the user connected from. The value could be:

  • a hostname or an IP address – if the user connected from a remote computer
  • empty value – if the user connected via a tty
  • a kernel version – if it’s a reboot activity
  • some application-specific value – for example, tmux(6716).%6 means ProcessName(PID).WindowID

The 4th column reports when the login activity occurred.

The 5th column shows the logout time. It could be the following values:

  • a timestamp – if the user has logged out
  • still running- if the system boot is still running
  • still logged in – if the user is still logged in
  • down – the system is shut down normally
  • crash – if there is no logout entry in the /var/log/wtmp file; this usually means the system crashed

The last column tells us how long the user has logged in in a format of (Hours: Minutes).

4. Limit the Number of Lines in the Output

A multi-user system very likely can have many login entries recorded in the wtmp file. If we just want to examine several of the most recent login activities, we can use the -n option to limit the lines in the output of the last command:

$ last -n 5
kent     pts/0        192.168.0.63     Sat Apr 11 14:58   still logged in
kent     pts/0        192.168.0.63     Sat Apr 11 12:28 - 14:31  (02:03)
kent     pts/0        192.168.0.63     Sat Apr 11 12:07 - 12:09  (00:02)
kent     pts/0        192.168.0.63     Sat Apr 11 11:59 - 12:01  (00:01)
kent     pts/0        192.168.0.63     Sat Apr 11 11:50 - 11:50  (00:00)

wtmp begins Sun Dec 15 18:56:55 2013

5. Suppress the IP Address or Hostname Column in the Output

We’ve learned earlier that the 3rd column in the output of the last command can contain the information where the user came from: the IP address, hostname, or a kernel version if it’s a system boot activity.

In case we want to suppress this information, we can use the -R option:

$ last -n 5 -R
kent     pts/0        Sat Apr 11 14:58   still logged in
kent     pts/0        Sat Apr 11 12:28 - 14:31  (02:03)
kent     pts/0        Sat Apr 11 12:07 - 12:09  (00:02)
kent     pts/0        Sat Apr 11 11:59 - 12:01  (00:01)
kent     pts/0        Sat Apr 11 11:50 - 11:50  (00:00)

wtmp begins Sun Dec 15 18:56:55 2013

6. List the Login Activities in a Specific Time Period

The last command supports the -s (since) and -t (until) options so that we can let it print login entries in a specific time period.

For example, we can get the login activity only for yesterday:

$ last -s yesterday -t today
kent     pts/0        192.168.0.63     Fri Apr 10 11:31 - 11:31  (00:00)

wtmp begins Sun Dec 15 18:56:55 2013

The -s and -t options accept following time formats:

  • YYYYMMDDhhmmss – e.g. 19920808180808
  • YYYY-MM-DD hh:mm:ss – e.g. 1992-08-08 18:08:08 
  • YYYY-MM-DD hh:mm (seconds will default to 00)
  • YYYY-MM-DD (time will default to midnight)
  • hh:mm:ss (date will default to today)
  • hh:mm (date will default to today, seconds to 00)

In the example of the last command above, we passed two aliases, yesterday and today, to the -s and -t options. Aliases make the command straightforward to understand.

The last command supports four aliases:

  • now
  • yesterday (time is set to midnight)
  • today (time is set to midnight)
  • tomorrow (time is set to midnight)

We can also pass a relative time to the -s or the -t option.

For example, if we want to get login activities within the last five days:

$ last -s -5days
kent     pts/0        192.168.0.63     Sat Apr 11 14:58   still logged in
kent     pts/0        192.168.0.63     Sat Apr 11 12:28 - 14:31  (02:03)
kent     pts/0        192.168.0.63     Sat Apr 11 12:07 - 12:09  (00:02)
...

wtmp begins Sun Dec 15 18:56:55 2013

7. Display Login Entries Only From Specific Users

Sometimes we want to investigate the login activities from specific users. To do that, we can pass usernames to the last command.

For example, we would like to check the login entries of the users guest and root:

$ last guest root
guest    tty3                          Sat Apr 11 12:14   still logged in
root     tty2                          Wed Aug 15 23:07 - 23:08  (00:00)
guest    tty2                          Sat Dec 26 00:36 - 00:36  (00:00)
root     tty1                          Sat Apr 19 00:28 - crash  (00:07)
root     pts/2        localhost.locald Thu Mar 20 00:23 - 00:23  (00:00)
root     tty1                          Thu Dec 19 21:42 - down   (00:00)
root     pts/0        192.168.0.103    Sun Dec 15 21:32 - down   (00:02)
root     tty1                          Sun Dec 15 18:57 - down   (02:33)
...

wtmp begins Sun Dec 15 18:56:55 2013

8. Display Entries of Run Level Changes Only

We can pass the -x option to the last command to get login entries of run level changes. For example, system reboots and shutdowns:

$ last -x
reboot   system boot  5.5.8-arch1-1    Thu Mar 26 18:58 - 19:01 (7+23:02)
shutdown system down  5.5.8-arch1-1    Wed Mar 25 20:02 - 20:02  (00:00)
reboot   system boot  5.4.10-arch1-1   Mon Jan 27 20:07 - 21:11  (01:04)
shutdown system down  5.4.10-arch1-1   Mon Jan 27 18:57 - 20:07  (01:09)
reboot   system boot  5.4.10-arch1-1   Sun Jan 12 22:07 - 18:57 (14+20:50)
kent     tty2                          Sun Dec 15 18:24 - down   (00:03)
....

wtmp begins Sun Dec 15 18:56:55 2013

9. View Bad Login Attempts

We’ve talked about the lastb command briefly. It works the same as the last command. The only difference is, the lastb command just lists the failed login attempts:

root# lastb
guest    pts/6                         Sat Apr 11 12:11 - 12:11  (00:00)
guest    pts/6                         Sat Apr 11 12:11 - 12:11  (00:00)
guest    pts/6                         Sat Apr 11 12:10 - 12:10  (00:00)
guest    pts/1                         Sun Apr  5 00:04 - 00:04  (00:00)
guest    pts/1                         Sun Apr  5 00:04 - 00:04  (00:00)
guest    pts/1                         Sun Apr  5 00:03 - 00:03  (00:00)

btmp begins Sun Apr  5 00:03:55 2020

10. Conclusion

The last and the lastb commands are very important in Linux administration since they help for the audit trail.

In this article, we’ve learned by example the common usages of these commands.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments