Home Linux Commands How To Find Last Logged In Users In Linux

How To Find Last Logged In Users In Linux

By sk
Published: Updated: 21K views

In this tutorial, we will see how to find last logged in users in Linux using last, lastb and lastlog commands with examples.

Introduction

As a Linux system administrator, you should routinely check the login date and time of the users in your Linux server. It gives you some useful details such as how many users are active, how many users are inactive and when do they log in and for how long etc.

If some user accounts haven't been used for a long time, you can simply lock them if they are no longer needed. You can also use the last login dates when auditing your Linux servers and investigate which user could have caused the problem.

Fortunately, the GNU/Linux operating system includes the triplet commands namely last, lastb and lastlog to display the recent users' login dates.

1. Display list of last logged in users in Linux with last command

As the name says, the last command is used to view the last logged in users in Linux and Unix-like systems. It reads through the /var/log/wtmp file and finds all logged in as well as logged out users since that file was created. You can also list the recent login dates of a specific user and even find who rebooted the Linux system with the help of last command.

Please note that your system only logs information in the wtmp file. If this file is not available for any reason, simply create it with touch command like below:

$ sudo touch /var/log/wtmp

Now let us find out the recent login dates and times with last command.

To show the last logins, their duration and other information in your Linux system, simply run:

$ last

Sample output:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
reboot   system boot  5.4.0-48-generic Fri Nov 20 10:13 - 11:44  (01:31)
.
.
.
reboot   system boot  5.4.0-33-generic Wed Jul  8 08:49 - 11:41  (02:52)
ostechni web console                   Mon Jul  6 08:19 - 08:20  (00:00)
ostechni pts/2        192.168.225.37   Mon Jul  6 08:14 - 08:30  (00:15)
ostechni pts/0        192.168.225.37   Mon Jul  6 07:41 - 12:27  (04:45)
reboot   system boot  5.4.0-33-generic Mon Jul  6 07:21 - 12:27  (05:06)
ostechni pts/3        192.168.225.37   Sat Jul  4 12:01 - 12:12  (00:10)
ostechni pts/2        192.168.225.37   Sat Jul  4 11:14 - 13:01  (01:46)
ostechni pts/0        192.168.225.37   Sat Jul  4 07:55 - 13:01  (05:05)
reboot   system boot  5.4.0-33-generic Sat Jul  4 07:53 - 13:03  (05:09)
ostechni tty1                          Fri May 29 10:07 - down   (00:00)
reboot   system boot  5.4.0-33-generic Fri May 29 10:06 - 10:07  (00:01)
ostechni pts/0        192.168.225.37   Fri May 29 09:36 - 10:06  (00:29)
ostechni tty1                          Fri May 29 09:36 - down   (00:29)
reboot   system boot  5.4.0-31-generic Fri May 29 09:35 - 10:06  (00:30)
ostechni tty1                          Sun May 24 13:17 - down   (00:02)
reboot   system boot  5.4.0-31-generic Sun May 24 13:16 - 13:20  (00:03)

wtmp begins Sun May 24 13:16:52 2020
List last logged in users in Linux with last command
List last logged in users in Linux with last command

As you see in the above output, the last command shows the following details of recent logins:

  • Name of the user. If any user is still logged in, it will display that details too.
  • Type of the terminal device (E.g. tty or pts) on which the session took place.
  • Source IP address or hostname from which the user logged in.
  • The login date and time stamp (i.e. the login session start and stop times).
  • The total duration of the session.
  • The last line indicates the date and time of the earliest recorded session in the wtmp log file.

In the above output, you might have noticed that there is a login entry of a special user named reboot. The last command keeps the records of this user each time the computer is booted up.

When we run last command without any options, it will show the entire log output. It has many options to filter, format, and limit output as per your liking. I have included examples for most common options.

1.1. Limit output to specific user

As stated already, the last command lists all recent logins recorded in the wtmp file. If you want to display the recent logins of a specific user (i.e. view all logins by a specific user), for example ostechnix, the command would be:

$ last ostechnix

Sample output:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  (02:28)
[...]
Display the recent logins of specific user with last command
Display the recent logins of specific user with last command

You can also specify multiple usernames with comma-separated like below:

$ last ostechnix sk

1.2. Limit output to specific tty or pts

The last command keeps the record of the type of the terminal device (E.g. tty or pts) on which the session took place.

Say for example, the users might have logged to the Linux machine either locally or via ssh. If you want to restrict the output to specific tty, simply run:

$ last tty1

Sample output:

ostechni tty1                          Thu Jan  7 08:29   still logged in
ostechni tty1                          Wed Jan  6 11:00 - down   (02:31)
ostechni tty1                          Fri Nov 20 11:52 - down   (00:38)
[...]

Names of ttys can be abbreviated. For instance, you can run last 1 instead of last tty1.

Similarly, to list only pts sessions' logins, run:

$ last pts/0
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  (02:28)
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  (00:00)
[...]

You can also specify multiple usernames with ttys like below:

$ last ostechnix sk pts/0 tty1

1.3. Limit output to specific number of lines

The wtmp log file could have large number of entries. If you want to restrict the output of last command to certain number of lines, use -n flag like below:

$ last -n 5

Or,

$ last -5

The above command will only display the 5 lines in the output:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30   still logged in
ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running
ostechni pts/0        192.168.225.37   Wed Jan  6 11:02 - 13:31  (02:28)
sk       pts/0        192.168.225.37   Wed Jan  6 11:02 - 11:02  (00:00)

wtmp begins Sun May 24 13:16:52 2020

1.4. Show hostname instead of IP address

By default, last command shows the source IP from which the user logged it. If you want to display hostname instead of IP address, use -d (or --dns) option:

$ last -d -5

You can also display full user names and domain names in the output with -w (or --fullnames) option.

1.5. Hide hostname and IP address

To suppress the hostname or IP field, use -R option.

$ last -5 -R

Sample output:

ostechni pts/0        Thu Jan  7 08:30   still logged in
ostechni tty1         Thu Jan  7 08:29   still logged in
reboot   system boot  Thu Jan  7 08:20   still running
ostechni pts/0        Wed Jan  6 11:02 - 13:31  (02:28)
sk       pts/0        Wed Jan  6 11:02 - 11:02  (00:00)

wtmp begins Sun May 24 13:16:52 2020

1.6. Show user login records on a specific time

The -p (or --present) option is used to find who was logged in at present or at a specified time.

For example, run the following command to list last logged in users at a 8:30 today:

$ last -p 08:30

Sample output:

ostechni tty1                          Thu Jan  7 08:29   still logged in
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20   still running

wtmp begins Sun May 24 13:16:52 2020

To list who is logged at present (i.e. at the time of running this command, run:

$ last -p now
Find logged in users at specific time
Find logged in users at specific time

1.7. Display logged in users within specific time interval

The last command has two options namely -s (--since) and -t (--until) to display logged in users within a specific period of time. The -s option is used to display the state of logins since the specified time and the -t option is used to display the state of logins until the specified time.

For example, if you want to display the last logins that took place from 2021-01-07 to 2021-01-11, the command is:

$ last -s 2021-01-07 -t 2021-01-11

Sample output:

ostechni pts/0        192.168.225.37   Thu Jan  7 08:30 - 13:16  (04:46)
ostechni tty1                          Thu Jan  7 08:29 - down   (04:47)
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20 - 13:16  (04:56)

wtmp begins Sun May 24 13:16:52 2020

To view recent logins from yesterday to today, run:

$ last -s yesterday -t today

If you want to only list login records since January 07, 2021 to till date, run:

$ last -s 2021-01-07
ostechni pts/0        192.168.225.37   Mon Jan 11 06:39   still logged in
reboot   system boot  5.4.0-59-generic Mon Jan 11 06:37   still running
ostechni pts/0        192.168.225.37   Thu Jan  7 08:30 - 13:16  (04:46)
ostechni tty1                          Thu Jan  7 08:29 - down   (04:47)
reboot   system boot  5.4.0-53-generic Thu Jan  7 08:20 - 13:16  (04:56)

wtmp begins Sun May 24 13:16:52 2020

1.8. Display last logged in users with full date and time

The -F (--fulltimes) option is used to display the full login and logout date and time in last command's output.

$ last -5 -F

Sample output:

ostechni pts/0        192.168.225.37   Mon Jan 11 06:39:29 2021   still logged in
[...]

1.9. Display hostname in the last column

The -a (--hostlast) option is used to display the hostname column last to prevent truncation.

$ last -d -a
ostechni pts/0        Mon Jan 11 06:39   still logged in    ostechnix
[...]

1.10. View last login records of pseudo user "reboot"

As I mentioned earlier, the last command keeps the record of a special pseudo users named "reboot" and "shutdown".

To view last login details of "reboot" and "shutdown" users, use the following commands:

$ last reboot
$ last shutdown

2. Display failed login attempts using lastb in Linux

The lastb is same as last command, but it only lists all the bad login attempts. It gets the failed login details from the /var/log/btmp file.

Please note that your system only logs information in the btmp file if it is present. If this file is not available for any reason, simply create it with touch command like below:

$ sudo touch /var/log/btmp

Now we can display the failed login attempts using lastb command like below:

$ sudo lastb

Sample output:

UNKNOWN  tty1                          Mon Jan 11 07:51 - 07:51  (00:00)
sk       tty1                          Mon Jan 11 07:51 - 07:51  (00:00)
UNKNOWN  tty1                          Mon Jan 11 07:51 - 07:51  (00:00)
sk       tty1                          Mon Jan 11 07:51 - 07:51  (00:00)
ostechni ssh:notty    192.168.225.37   Mon Jan 11 07:49 - 07:49  (00:00)
ostechni ssh:notty    192.168.225.37   Mon Jan 11 07:49 - 07:49  (00:00)
ostechni ssh:notty    192.168.225.37   Mon Jan 11 07:49 - 07:49  (00:00)
UNKNOWN  tty1                          Wed Jan  6 10:59 - 10:59  (00:00)

btmp begins Wed Jan  6 10:59:57 2021
Display failed login attempts using lastb command in Linux
Display failed login attempts using lastb command in Linux

The above commands lists all unsuccessful login attempts by all users in the Linux system. It also shows failed login attempts that took place via SSH.

3. Find last logged in users in Linux with lastlog command

The lastlog command shows the most recent login of all users or of a specific user in Linux and Unix-like operating systems. It retrieves the list of last logged in users from /var/log/lastlog file and displays the result in standard output.

To display the most recent login of all users, run:

$ lastlog

Sample output:

Username         Port     From             Latest
root                                       **Never logged in**
daemon                                     **Never logged in**
bin                                        **Never logged in**
[...]
systemd-coredump                           **Never logged in**
ostechnix        tty1                      Mon Jan 11 07:51:46 +0000 2021
lxd                                        **Never logged in**
dnsmasq                                    **Never logged in**
libvirt-qemu                               **Never logged in**
libvirt-dnsmasq                            **Never logged in**
cockpit-ws                                 **Never logged in**
cockpit-wsinstance                           **Never logged in**
libvirtdbus                                **Never logged in**
_flatpak                                   **Never logged in**
sk               pts/0    192.168.225.37   Wed Jan  6 11:02:17 +0000 2021
root                                       **Never logged in**
nobody                                     **Never logged in**
Find last logged in users in Linux with lastlog command
Find last logged in users in Linux with lastlog command

As you see in the above output, lastlog command displays the last login records of system user accounts as well as other service accounts such as bin, daemon, sys, mail, nobody etc.

The lastlog command prints the login-name, port, source IP address from which the user logged in and the last login date and time. If an user has never logged in, it will print the message ** Never logged in** instead of the port and time in the output.

You might be wondering why there are many service accounts have never logged in. This is because the login shells for these accounts are set to either /sbin/nologin. It is common security practice used to limit direct access to the shell.

3.1. Display last logged in details of a specific user

If you want to display lastlog record of a specified user, for example ostechnix, the command would be:

$ lastlog -u ostechnix

Sample output:

Username         Port     From             Latest
ostechnix        tty1                      Mon Jan 11 07:51:46 +0000 2021

3.2. Display last logged in records before or recent than X days

The lastlog command can able to display recent login records before than or recent than X days.

For instance, you can get recent login records of all users before than 5 days using -b flag like below:

$ lastlog -b 5

Similarly, to display login records more recent than 5 days, use -t flag:

$ lastlog -t 5

3.3. Remove or clear the last login information using lastlog in Linux

If you don't want the lastlog record of an user, just clear them using -C (--clear) flag:

$ sudo lastlog -u ostechnix -C

To verify if the log record is cleared, run:

$ lastlog -u ostechnix
Username         Port     From             Latest
ostechnix                                         **Never logged in**

Getting help

For more details, refer the help section of the respective command.

$ last --help
$ lastb --help
$ lastlog --help

Or go through the man pages of each command:

$ man last
$ man lastb
$ man lastlog

Conclusion

The last, lastb and lastlog commands comes in rescue to detect suspicious user activities in a Linux system. Finding who is recently logged in (or logged out from) the Linux server, when did they log in and for how long are the important details that will definitely help you at troubleshooting times.

You May Also Like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More