last, lastb, lastlog command in Linux

Do not miss this exclusive book on Binary Tree Problems. Get it now for free.

In this article, we have discussed the last command which displays information about logged in users, the lastb command which lists all failed login attempts and the lastlog command which displays information regarding the last login.

Table of contents.

  1. Introduction.
  2. last command.
  3. lastb command.
  4. lastolog command.
  5. Summary.
  6. References.

Introduction.

The last command is used to display information regarding user logins and currently logged in users.
It reads its output from the wtmp file located in /var/log/ directory.

The lastb command is used to display information pertaining to failed login attempts.
It reads its output from the btmp file located in /var/log/ directory.

The lastlog command is used to display information about the most recent logins by system users.

last command.

The syntax is as follows,

last [OPTIONS] [<username>...] [<tty>...]

Commands.

  • To get started we can just execute the command without any options,
last

The output shows the name of a user who currently logged in or once logged in, how the user connected to the system e.g pts or tty, where the user connected from, if a user connected remotely an ip address of the remote host will be displayed, and the rest is the times and dates of the logins.

  • To display logins/logouts pertaining to a single user we write,
last bob

Where bob is a system user.

  • We can print out the login and logout times with the full dates and times using the -F option,
last -F
  • To display the last n logins we can use the -n option,
last -n 5

In this case only the last five logins will be displayed.

  • To view system reboots, we write,
last reboot
  • To view system shutdowns, write,
last shutdown
  • We can also specify a time stamp using options such as -s, --since, --present, -t, --until or even an exact time.
    For example to get logins during a specific time period say between march 20th and april 1st, write,
last -F -s 2022-03-20 -t 2022-04-1
  • As stated earlier this command reads the wtmp file, we can use the -f option to read from another file,
last -f /var/log/file

wtmp file size can grow and that is why by default it is cleared on a monthly basis. The details of this rotation are stored in logrotate.conf file stored in the /etc/ directory.

lastb command.

The syntax is as follows,

lastb [OPTIONS] [<username>...] [<tty>...]

Commands.

  • To view failed login attempts if any, write,
lastb

This command requires elevated permissions therefore it should be preceded with sudo.

  • We can also specify a time period using the --since option, for example to view failed login attempts since yesterday, we write,
sudo lastb --since yesterday

We can also specify a date(YYYY-MM-DD) as follows,

sudo lastb --since 2022-10-04
  • To specify failed login attempts until a specified period we use the --until option,
sudo lastb --until 2022-04-01
  • We can also be very specific and specify the exact time/hour, if there was a failed login attempt it will be shown.
sudo lastb --present 22:00

The above command will display failed login attempts during 10pm hour.

lastlog command.

The syntax is as follows,

lastlog [OPTIONS]
  • We can execute it without any options to view recent logins,
lastlog
  • To specify a specific user we use the -u option accompanied by the username,
lastlog -u doe

The above command will display a record of doe.

  • To specify the number of days, that is, display records older than n days, we use the -b option and specify the number of days,
lastlog -b 4

The command will display records older than 4 days.

  • To display lastlog records more recent than n number of days, we use the -t option and specify n as follows,
lastlog -t 4

The command will print out lastlog records more recent than 4 days.

Summary.

The last command is used by system administrators to display information regarding system logins e.g logged in users and their details such as terminal used and timestamps. It can also be used to display system reboots or shutdowns.

The lastb command is used to displayed failed system login attempts, this information is only accessible by the root user.

The lastlog command is used to display information abou tlast logins to the system, with it we can specify time ranges between which the system was last logged into.
last command options are also applicable to lastb command.

References.

  1. Execute man last, man lastb, man lastlog for the commands' manual pages.
  2. Execute last --help, lastb --help, lastlog --help for other command options.

Sign up for FREE 3 months of Amazon Music. YOU MUST NOT MISS.