Understanding the last Command in Linux
The last command in Linux is a useful tool for tracking user logins, logouts, system reboots, and crashes. It reads from the /var/log/wtmp file, which is a binary file that logs all login and logout activities. This command helps system administrators monitor user activity and system events.What Does the last Command Do?
The last command displays a list of all users who have logged in and out since the creation of the /var/log/wtmp file. It also shows system reboots and shutdowns. This information is crucial for auditing and troubleshooting purposes.Example Commands
To use the last command, you can simply type:
Code:
lastYou can also specify a username to see the login history for a particular user:
Code:
last usernameExplanation of Output Columns
The output of the last command typically includes the following columns:- Username: The name of the user who logged in.
- TTY: The terminal line (e.g., tty1, pts/0) used for the login session.
- Hostname: The hostname or IP address from which the user logged in.
- Login Time: The date and time when the user logged in.
- Logout Time: The date and time when the user logged out (or still logged in if the session is active).
- Duration: The duration of the session.
- System Events: Reboots and shutdowns are also listed, showing the kernel version if updated.
Sample Output
Here is a sample output of the last command, showing multiple user logins and logouts, a system crash, and a couple of system reboots:username1 pts/0 192.168.1.10 Thu Jan 2 10:00 - 10:30 (00:30)
username2 tty1 Thu Jan 2 09:45 - 10:15 (00:30)
reboot system boot 5.15.0-72-generic Thu Jan 2 09:00 - 10:30 (01:30)
username3 pts/1 192.168.1.11 Thu Jan 2 08:30 - 09:00 (00:30)
crash system down Thu Jan 2 08:00 - 08:30 (00:30)
reboot system boot 5.15.0-71-generic Thu Jan 2 07:00 - 08:00 (01:00)
username1 pts/0 192.168.1.10 Thu Jan 2 06:30 - 07:00 (00:30)
username4 pts/2 192.168.1.12 Thu Jan 2 06:00 - 06:30 (00:30)
username2 tty2 Thu Jan 2 05:30 - 06:00 (00:30)
username3 pts/3 192.168.1.13 Thu Jan 2 05:00 - 05:30 (00:30)
reboot system boot 5.15.0-70-generic Thu Jan 2 04:00 - 05:00 (01:00)
username1 pts/0 192.168.1.10 Thu Jan 2 03:30 - 04:00 (00:30)
In this example:
- username1, username2, username3, and username4 logged in and out at different times.
- The system rebooted three times, with the kernel version changing from 5.15.0-70-generic to 5.15.0-71-generic and then to 5.15.0-72-generic.
- There was a system crash recorded.
Handling Long Output
Sometimes, the output of the last command can be very long. In such cases, you can use the head command to view only the first few lines:
Code:
last | headThis will display the first 10 lines of the last command's output, making it easier to read.
Auditing with last
System administrators often use the last command to audit problems. For example, if a process crashes, a file is deleted, or something changes that causes a problem, you can see who was logged in at that time. You can then look at that person's command history to see what actions they performed.Why New wtmp Files Are Created
New wtmp files are created periodically to manage the size of the log file and ensure system performance. When a new wtmp file is created, the old login and reboot information is typically retained in the file. This allows for historical data to be preserved and accessible for auditing purposes.Important Note on /var/log/wtmp
The /var/log/wtmp file is where the last command retrieves its information. This file is binary, so you should not use the cat command to view it. Instead, you can use the strings command to extract readable text:
Code:
strings /var/log/wtmpThis command will display the text content of the binary file, making it easier to read.
Security Considerations
A savvy hacker might know to delete the history and wtmp files to cover their tracks. To mitigate this risk, it's a good idea to back up these files remotely. You can use a tool like syslogd to send logs to a remote syslog server, ensuring that you have a backup even if the local files are tampered with.By understanding and utilizing the last command, you can effectively monitor user activity and system events on your Linux system.
