last Command Linux: Display Login History and System Boot Records

The last command is an essential Linux utility that displays a chronological list of user logins, system boots, and shutdowns by reading from the /var/log/wtmp file. This powerful command is invaluable for system administrators who need to track user activity, monitor system security, and analyze login patterns.

Understanding the last Command

The last command provides detailed information about:

User login and logout times
System boot and shutdown events
Terminal sessions and their duration
Remote connections via SSH, FTP, or other protocols
System crashes and unexpected reboots

Basic Syntax and Usage

The basic syntax of the last command is:

last [options] [username] [tty]

Simple last Command Examples

Running last without any arguments displays the complete login history:

$ last

Example output:

john     pts/0        192.168.1.100    Mon Aug 25 14:30   still logged in
sarah    tty2                          Mon Aug 25 12:15 - 14:20  (02:05)
admin    pts/1        10.0.0.50        Mon Aug 25 10:45 - 11:30  (00:45)
reboot   system boot  5.4.0-74-generic Mon Aug 25 09:00   still running
mike     pts/0        192.168.1.105    Sun Aug 24 18:22 - 20:15  (01:53)
shutdown system down  5.4.0-74-generic Sun Aug 24 22:00 - 09:00  (11:00)

Command Options and Parameters

Limiting Output with -n Option

Use the -n option to limit the number of entries displayed:

$ last -n 5

This shows only the last 5 login entries:

john     pts/0        192.168.1.100    Mon Aug 25 14:30   still logged in
sarah    tty2                          Mon Aug 25 12:15 - 14:20  (02:05)
admin    pts/1        10.0.0.50        Mon Aug 25 10:45 - 11:30  (00:45)
reboot   system boot  5.4.0-74-generic Mon Aug 25 09:00   still running
mike     pts/0        192.168.1.105    Sun Aug 24 18:22 - 20:15  (01:53)

Displaying Specific User Information

To view login history for a specific user:

$ last john

Output:

john     pts/0        192.168.1.100    Mon Aug 25 14:30   still logged in
john     pts/1        192.168.1.100    Mon Aug 25 08:15 - 12:00  (03:45)
john     tty1                          Sun Aug 24 16:30 - 18:00  (01:30)
john     pts/0        192.168.1.100    Sat Aug 23 14:22 - 16:45  (02:23)

Using Time-based Filtering

The -t option allows filtering by time. Show logins before a specific date:

$ last -t 20250824

Use -s to show logins since a specific date:

$ last -s 20250824

Advanced Usage Examples

Displaying Full Hostnames

Use the -a option to display full hostnames instead of truncated ones:

$ last -a

Output with full hostnames:

admin    pts/1        Mon Aug 25 10:45 - 11:30  (00:45)    office-desktop.company.com
user1    pts/2        Mon Aug 25 09:30 - 12:00  (02:30)    remote-server.example.org

Showing Boot Records Only

To display only system boot information:

$ last reboot

Example output:

reboot   system boot  5.4.0-74-generic Mon Aug 25 09:00   still running
reboot   system boot  5.4.0-74-generic Sun Aug 24 08:30 - 22:00  (13:30)
reboot   system boot  5.4.0-74-generic Sat Aug 23 07:45 - 23:15  (15:30)

Displaying Shutdown Information

To see system shutdown history:

$ last shutdown

Output:

shutdown system down  5.4.0-74-generic Sun Aug 24 22:00 - 09:00  (11:00)
shutdown system down  5.4.0-74-generic Sat Aug 23 23:15 - 07:45  (08:30)

Output Format and Column Interpretation

Understanding the last command output format is crucial:

Column	Description	Example
Username	Login name or system event	john, reboot, shutdown
Terminal	TTY or pseudo-terminal	pts/0, tty1, console
Host/IP	Remote host or IP address	192.168.1.100, :0
Login Time	When session started	Mon Aug 25 14:30
Session Status	Duration or current state	still logged in, (02:05)

Practical System Administration Use Cases

Security Monitoring

Monitor suspicious login attempts by combining last with other commands:

$ last | grep -E "(pts|ssh)" | head -10

This filters remote connections to identify potential security threats.

System Uptime Analysis

Analyze system reliability by examining boot/shutdown patterns:

$ last reboot shutdown | head -20

This helps identify system stability issues and maintenance windows.

User Activity Tracking

Track specific user activity during business hours:

$ last john | grep "Aug 25"

Useful for attendance tracking and productivity monitoring.

Related Commands and Integration

Using with lastb Command

The lastb command shows failed login attempts:

$ sudo lastb

Combine both for comprehensive security analysis:

$ last -n 5 && echo "--- Failed Logins ---" && sudo lastb -n 5

Integration with who and w Commands

Compare current sessions with historical data:

$ who
$ last | head -5

Log File Locations and Maintenance

The last command reads from several log files:

/var/log/wtmp – Main login records (binary format)
/var/log/btmp – Failed login attempts
/var/run/utmp – Current login sessions

Log Rotation and Archival

These logs are typically rotated by logrotate. Check archived logs:

$ last -f /var/log/wtmp.1

Troubleshooting Common Issues

Empty Output

If last returns no output:

Check if the wtmp file exists: ls -la /var/log/wtmp
Verify file permissions
Check if logging is enabled in system configuration

Incomplete Information

For missing hostname information, ensure proper DNS resolution and network configuration.

Security Considerations

When using last for security monitoring:

Regularly review login patterns for anomalies
Monitor for logins from unexpected IP addresses
Check for unusual login times (off-hours access)
Combine with system logs for comprehensive analysis

Performance and Optimization

For systems with extensive login history:

Use specific usernames to limit output
Implement regular log rotation
Consider archiving old logs for historical analysis
Use time-based filtering for targeted searches

Best Practices

Follow these best practices when using the last command:

Regular Monitoring: Include last checks in routine system administration tasks
Automation: Create scripts to automatically flag suspicious login patterns
Documentation: Maintain records of expected login patterns for comparison
Integration: Combine with other monitoring tools for comprehensive system oversight

The last command is an indispensable tool for Linux system administrators, providing valuable insights into system usage, security events, and user behavior. By mastering its various options and understanding its output format, you can effectively monitor and maintain system security while tracking user activity across your Linux environment.

last Command Linux: Display Login History and System Boot Records

Understanding the last Command

Basic Syntax and Usage

Simple last Command Examples

Command Options and Parameters

Limiting Output with -n Option

Displaying Specific User Information

Using Time-based Filtering

Advanced Usage Examples

Displaying Full Hostnames

Showing Boot Records Only

Displaying Shutdown Information

Output Format and Column Interpretation

Practical System Administration Use Cases

Security Monitoring

System Uptime Analysis

User Activity Tracking

Related Commands and Integration

Using with lastb Command

Integration with who and w Commands

Log File Locations and Maintenance

Log Rotation and Archival

Troubleshooting Common Issues

Empty Output

Incomplete Information

Security Considerations

Performance and Optimization

Best Practices

Related Posts

who Command in Linux: Complete Guide to Display Logged in Users

w Command Linux: Complete Guide to Monitor Active Users and System Activity

loginctl Command Linux: Master Session Management with Practical Examples

logger Command Linux: Complete Guide to System Log Message Management

history Command Linux: Complete Guide to View and Manage Your Command History

runlevel Command Linux: Complete Guide to Display Current and Previous System States

uptime Command Linux: Complete Guide to System Uptime and Load Average Monitoring

rsyslog Command Linux: System Logging Configuration with Examples

ps Command in Linux: Complete Guide to Process Monitoring and Management

top Command Linux: Complete Guide to Real-Time Process Monitoring

screen Command Linux: Complete Guide to Managing Multiple Terminal Sessions

lynis Command Linux: Complete Security Auditing Tool Guide

Continue Reading

Understanding the Pipeline: Passing Objects Between Cmdlets in PowerShell

Managing Files and Folders with PowerShell: Complete Guide to Get-ChildItem, Copy-Item, and Remove-Item

Using PowerShell Providers: FileSystem, Registry, Environment & More – Complete Guide

Understanding and Using PowerShell Providers for Different Data Stores: Complete Guide with Examples

Using Remoting in PowerShell: Complete Guide to Enable-PSRemoting, Invoke-Command & Remote Sessions

Working with WMI and CIM in PowerShell: Complete Guide to Advanced System Management