Find user login history - last and lastb commands in Linux

Login

1.0 last and lastb

The last command gives a chronological list of user logins in a Linux system for a period of time. The lastb commands gives a similar list of failed logins to the system. By default, last uses the /var/log/wtmp file for the record of login data. Similarly, lastb, by default, reads the /var/log/btmp file for the record of failed logins.

2.0 Command syntax

last [-R] [-num] [ -n num ] [-adFiowx] [ -f file ] [ -t YYYYMMDDHHMMSS ] [name...] [tty...] lastb [-R] [-num] [ -n num ] [ -f file ] [-adFiowx] [name...] [tty...]

3.0 Examples

3.1 last

$ last user1 pts/0 203.0.113.168 Tue May 17 10:26 still logged in user1 ttyS0 Tue May 17 10:19 - 10:20 (00:00) user2 pts/1 198.51.100.12 Tue May 17 00:54 - 01:33 (00:38) user3 pts/3 198.51.100.15 Mon May 16 10:13 - 17:54 (07:40) user2 pts/7 198.51.100.11 Sun May 15 17:28 - 17:41 (00:13) user1 pts/2 198.51.100.19 Sun May 15 15:08 - 15:19 (00:10) user3 pts/0 198.51.100.17 Sat May 14 08:29 - 11:15 (02:45) ... ... ... user1 ttyS0 Sat May 7 03:51 - 03:53 (00:02) reboot system boot 4.5.0-x86_64-lin Sat May 7 03:50 still running

For each login, username, terminal, IP address, date and times of login and logout and the session time are printed. The line for pseudo-user reboot gives the time of system boot.

3.2 lastb

lastb gives the history of failed logins.

$ sudo lastb admin ssh:notty 203.0.113.252 Wed May 4 05:17 - 05:17 (00:00) UNKNOWN ttyS0 Tue May 3 16:48 - 16:48 (00:00) btmp begins Tue May 3 16:48:02 2016

3.3 last -f filename

With the -f option , we can use a different input file. The -R option suppresses the display of hostname.

$ last -R -f /var/log/wtmp.1 user1 :0 Fri Apr 29 05:46 - down (00:20) reboot system boot Fri Apr 29 05:46 - 06:07 (00:21) guest-8S :1 Thu Apr 28 20:53 - 21:15 (00:21) ...

3.4 last -n num

The -n num option limits the output to the first num lines. We can skip -n and say last -num and get the same output.

3.5 last -F

The -F option is for the printing of full login and logout dates and times.

3.6 last -a

with the -a option, we get the hostname in the last column.

3.7 last -d

-d displays the hostname instead of its IP address. For example,

$ last -5 -F -a -d user1 pts/0 Wed May 18 00:27:06 2016 still logged in arbt-equat-dynamic-198.51.100.19.expressbroadband.com user1 ttyS0 Wed May 18 00:26:11 2016 - Wed May 18 00:26:42 2016 (00:00) 0.0.0.0 user1 pts/0 Tue May 17 17:12:26 2016 - Tue May 17 17:20:32 2016 (00:08) arbt-equat-dynamic-198.51.100.19.expressbroadband.com user1 ttyS0 Tue May 17 17:11:26 2016 - Tue May 17 17:11:57 2016 (00:00) 0.0.0.0 user1 pts/0 Tue May 17 10:26:14 2016 - Tue May 17 12:02:32 2016 (01:36) arbt-equat-dynamic-198.51.100.19.expressbroadband.com

3.8 last -i

The -i option causes prining of user's IP address in numbers and dots notation.

3.9 last user

If a username is passed as a command line parameter, the login data for that user is printed.

$ last alice -5 -a -i alice pts/0 Wed May 18 06:54 still logged in 198.51.100.17 alice pts/0 Wed May 18 00:27 - 01:00 (00:33) 203.0.113.168 alice ttyS0 Wed May 18 00:26 - 00:26 (00:00) 0.0.0.0 alice pts/0 Tue May 17 17:12 - 17:20 (00:08) 198.51.100.15 alice ttyS0 Tue May 17 17:11 - 17:11 (00:00) 0.0.0.0

Software: