In this tutorial, we will see how to find last logged in users in Linux using last
, lastb
and lastlog
commands with examples.
Table of Contents
Introduction
As a Linux system administrator, you should routinely check the login date and time of the users in your Linux server. It gives you some useful details such as how many users are active, how many users are inactive and when do they log in and for how long etc.
If some user accounts haven't been used for a long time, you can simply lock them if they are no longer needed. You can also use the last login dates when auditing your Linux servers and investigate which user could have caused the problem.
Fortunately, the GNU/Linux operating system includes the triplet commands namely last
, lastb
and lastlog
to display the recent users' login dates.
1. Display list of last logged in users in Linux with last command
As the name says, the last
command is used to view the last logged in users in Linux and Unix-like systems. It reads through the /var/log/wtmp
file and finds all logged in as well as logged out users since that file was created. You can also list the recent login dates of a specific user and even find who rebooted the Linux system with the help of last
command.
Please note that your system only logs information in the wtmp
file. If this file is not available for any reason, simply create it with touch
command like below:
$ sudo touch /var/log/wtmp
Now let us find out the recent login dates and times with last
command.
To show the last logins, their duration and other information in your Linux system, simply run:
$ last
Sample output:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running reboot system boot 5.4.0-48-generic Fri Nov 20 10:13 - 11:44 (01:31) . . . reboot system boot 5.4.0-33-generic Wed Jul 8 08:49 - 11:41 (02:52) ostechni web console Mon Jul 6 08:19 - 08:20 (00:00) ostechni pts/2 192.168.225.37 Mon Jul 6 08:14 - 08:30 (00:15) ostechni pts/0 192.168.225.37 Mon Jul 6 07:41 - 12:27 (04:45) reboot system boot 5.4.0-33-generic Mon Jul 6 07:21 - 12:27 (05:06) ostechni pts/3 192.168.225.37 Sat Jul 4 12:01 - 12:12 (00:10) ostechni pts/2 192.168.225.37 Sat Jul 4 11:14 - 13:01 (01:46) ostechni pts/0 192.168.225.37 Sat Jul 4 07:55 - 13:01 (05:05) reboot system boot 5.4.0-33-generic Sat Jul 4 07:53 - 13:03 (05:09) ostechni tty1 Fri May 29 10:07 - down (00:00) reboot system boot 5.4.0-33-generic Fri May 29 10:06 - 10:07 (00:01) ostechni pts/0 192.168.225.37 Fri May 29 09:36 - 10:06 (00:29) ostechni tty1 Fri May 29 09:36 - down (00:29) reboot system boot 5.4.0-31-generic Fri May 29 09:35 - 10:06 (00:30) ostechni tty1 Sun May 24 13:17 - down (00:02) reboot system boot 5.4.0-31-generic Sun May 24 13:16 - 13:20 (00:03) wtmp begins Sun May 24 13:16:52 2020
As you see in the above output, the last command shows the following details of recent logins:
- Name of the user. If any user is still logged in, it will display that details too.
- Type of the terminal device (E.g. tty or pts) on which the session took place.
- Source IP address or hostname from which the user logged in.
- The login date and time stamp (i.e. the login session start and stop times).
- The total duration of the session.
- The last line indicates the date and time of the earliest recorded session in the
wtmp
log file.
In the above output, you might have noticed that there is a login entry of a special user named reboot
. The last
command keeps the records of this user each time the computer is booted up.
When we run last
command without any options, it will show the entire log output. It has many options to filter, format, and limit output as per your liking. I have included examples for most common options.
1.1. Limit output to specific user
As stated already, the last
command lists all recent logins recorded in the wtmp
file. If you want to display the recent logins of a specific user (i.e. view all logins by a specific user), for example ostechnix, the command would be:
$ last ostechnix
Sample output:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 (02:28) [...]
You can also specify multiple usernames with comma-separated like below:
$ last ostechnix sk
1.2. Limit output to specific tty or pts
The last
command keeps the record of the type of the terminal device (E.g. tty or pts) on which the session took place.
Say for example, the users might have logged to the Linux machine either locally or via ssh. If you want to restrict the output to specific tty
, simply run:
$ last tty1
Sample output:
ostechni tty1 Thu Jan 7 08:29 still logged in ostechni tty1 Wed Jan 6 11:00 - down (02:31) ostechni tty1 Fri Nov 20 11:52 - down (00:38) [...]
Names of ttys can be abbreviated. For instance, you can run last 1
instead of last tty1
.
Similarly, to list only pts
sessions' logins, run:
$ last pts/0 ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 (02:28) sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 (00:00) [...]
You can also specify multiple usernames with ttys like below:
$ last ostechnix sk pts/0 tty1
1.3. Limit output to specific number of lines
The wtmp
log file could have large number of entries. If you want to restrict the output of last
command to certain number of lines, use -n
flag like below:
$ last -n 5
Or,
$ last -5
The above command will only display the 5 lines in the output:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running ostechni pts/0 192.168.225.37 Wed Jan 6 11:02 - 13:31 (02:28) sk pts/0 192.168.225.37 Wed Jan 6 11:02 - 11:02 (00:00) wtmp begins Sun May 24 13:16:52 2020
1.4. Show hostname instead of IP address
By default, last
command shows the source IP from which the user logged it. If you want to display hostname instead of IP address, use -d
(or --dns
) option:
$ last -d -5
You can also display full user names and domain names in the output with -w
(or --fullnames
) option.
1.5. Hide hostname and IP address
To suppress the hostname or IP field, use -R
option.
$ last -5 -R
Sample output:
ostechni pts/0 Thu Jan 7 08:30 still logged in ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot Thu Jan 7 08:20 still running ostechni pts/0 Wed Jan 6 11:02 - 13:31 (02:28) sk pts/0 Wed Jan 6 11:02 - 11:02 (00:00) wtmp begins Sun May 24 13:16:52 2020
1.6. Show user login records on a specific time
The -p
(or --present
) option is used to find who was logged in at present or at a specified time.
For example, run the following command to list last logged in users at a 8:30 today:
$ last -p 08:30
Sample output:
ostechni tty1 Thu Jan 7 08:29 still logged in reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 still running wtmp begins Sun May 24 13:16:52 2020
To list who is logged at present (i.e. at the time of running this command, run:
$ last -p now
1.7. Display logged in users within specific time interval
The last
command has two options namely -s
(--since
) and -t
(--until
) to display logged in users within a specific period of time. The -s
option is used to display the state of logins since the specified time and the -t
option is used to display the state of logins until the specified time.
For example, if you want to display the last logins that took place from 2021-01-07
to 2021-01-11
, the command is:
$ last -s 2021-01-07 -t 2021-01-11
Sample output:
ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 - 13:16 (04:46) ostechni tty1 Thu Jan 7 08:29 - down (04:47) reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 - 13:16 (04:56) wtmp begins Sun May 24 13:16:52 2020
To view recent logins from yesterday to today, run:
$ last -s yesterday -t today
If you want to only list login records since January 07, 2021 to till date, run:
$ last -s 2021-01-07 ostechni pts/0 192.168.225.37 Mon Jan 11 06:39 still logged in reboot system boot 5.4.0-59-generic Mon Jan 11 06:37 still running ostechni pts/0 192.168.225.37 Thu Jan 7 08:30 - 13:16 (04:46) ostechni tty1 Thu Jan 7 08:29 - down (04:47) reboot system boot 5.4.0-53-generic Thu Jan 7 08:20 - 13:16 (04:56) wtmp begins Sun May 24 13:16:52 2020
1.8. Display last logged in users with full date and time
The -F
(--fulltimes
) option is used to display the full login and logout date and time in last
command's output.
$ last -5 -F
Sample output:
ostechni pts/0 192.168.225.37 Mon Jan 11 06:39:29 2021 still logged in [...]
1.9. Display hostname in the last column
The -a
(--hostlast
) option is used to display the hostname column last to prevent truncation.
$ last -d -a ostechni pts/0 Mon Jan 11 06:39 still logged in ostechnix [...]
1.10. View last login records of pseudo user "reboot"
As I mentioned earlier, the last command keeps the record of a special pseudo users named "reboot" and "shutdown".
To view last login details of "reboot" and "shutdown" users, use the following commands:
$ last reboot
$ last shutdown
2. Display failed login attempts using lastb in Linux
The lastb
is same as last
command, but it only lists all the bad login attempts. It gets the failed login details from the /var/log/btmp
file.
Please note that your system only logs information in the btmp
file if it is present. If this file is not available for any reason, simply create it with touch
command like below:
$ sudo touch /var/log/btmp
Now we can display the failed login attempts using lastb command like below:
$ sudo lastb
Sample output:
UNKNOWN tty1 Mon Jan 11 07:51 - 07:51 (00:00) sk tty1 Mon Jan 11 07:51 - 07:51 (00:00) UNKNOWN tty1 Mon Jan 11 07:51 - 07:51 (00:00) sk tty1 Mon Jan 11 07:51 - 07:51 (00:00) ostechni ssh:notty 192.168.225.37 Mon Jan 11 07:49 - 07:49 (00:00) ostechni ssh:notty 192.168.225.37 Mon Jan 11 07:49 - 07:49 (00:00) ostechni ssh:notty 192.168.225.37 Mon Jan 11 07:49 - 07:49 (00:00) UNKNOWN tty1 Wed Jan 6 10:59 - 10:59 (00:00) btmp begins Wed Jan 6 10:59:57 2021
The above commands lists all unsuccessful login attempts by all users in the Linux system. It also shows failed login attempts that took place via SSH.
3. Find last logged in users in Linux with lastlog command
The lastlog command shows the most recent login of all users or of a specific user in Linux and Unix-like operating systems. It retrieves the list of last logged in users from /var/log/lastlog
file and displays the result in standard output.
To display the most recent login of all users, run:
$ lastlog
Sample output:
Username Port From Latest root **Never logged in** daemon **Never logged in** bin **Never logged in** [...] systemd-coredump **Never logged in** ostechnix tty1 Mon Jan 11 07:51:46 +0000 2021 lxd **Never logged in** dnsmasq **Never logged in** libvirt-qemu **Never logged in** libvirt-dnsmasq **Never logged in** cockpit-ws **Never logged in** cockpit-wsinstance **Never logged in** libvirtdbus **Never logged in** _flatpak **Never logged in** sk pts/0 192.168.225.37 Wed Jan 6 11:02:17 +0000 2021 root **Never logged in** nobody **Never logged in**
As you see in the above output, lastlog
command displays the last login records of system user accounts as well as other service accounts such as bin
, daemon
, sys
, mail
, nobody
etc.
The lastlog
command prints the login-name, port, source IP address from which the user logged in and the last login date and time. If an user has never logged in, it will print the message ** Never logged in**
instead of the port and time in the output.
You might be wondering why there are many service accounts have never logged in. This is because the login shells for these accounts are set to either /sbin/nologin
. It is common security practice used to limit direct access to the shell.
3.1. Display last logged in details of a specific user
If you want to display lastlog record of a specified user, for example ostechnix, the command would be:
$ lastlog -u ostechnix
Sample output:
Username Port From Latest ostechnix tty1 Mon Jan 11 07:51:46 +0000 2021
3.2. Display last logged in records before or recent than X days
The lastlog
command can able to display recent login records before than or recent than X days.
For instance, you can get recent login records of all users before than 5 days using -b
flag like below:
$ lastlog -b 5
Similarly, to display login records more recent than 5 days, use -t
flag:
$ lastlog -t 5
3.3. Remove or clear the last login information using lastlog in Linux
If you don't want the lastlog record of an user, just clear them using -C
(--clear
) flag:
$ sudo lastlog -u ostechnix -C
To verify if the log record is cleared, run:
$ lastlog -u ostechnix Username Port From Latest ostechnix **Never logged in**
Getting help
For more details, refer the help section of the respective command.
$ last --help
$ lastb --help
$ lastlog --help
Or go through the man pages of each command:
$ man last
$ man lastb
$ man lastlog
Conclusion
The last
, lastb
and lastlog
commands comes in rescue to detect suspicious user activities in a Linux system. Finding who is recently logged in (or logged out from) the Linux server, when did they log in and for how long are the important details that will definitely help you at troubleshooting times.