Find user login history – last and lastb commands in Linux

Last Updated on July 10, 2019

1.0 last and lastb

The last command gives a chronological list of user logins in a Linux system for a period of time. The lastb commands gives a similar list of failed logins to the system. By default, last uses the /var/log/wtmp file for the record of login data. Similarly, lastb, by default, reads the /var/log/btmp file for the record of failed logins.

2.0 Command syntax

last [-R] [-num] [ -n num ] [-adFiowx] [ -f file ] [ -t YYYYMMDDHHMMSS ] [name...]  [tty...]
lastb [-R] [-num] [ -n num ] [ -f file ] [-adFiowx] [name...]  [tty...]

3.0 Examples

3.1 last

$ last
user1    pts/0        203.0.113.168    Tue May 17 10:26   still logged in
user1    ttyS0                         Tue May 17 10:19 - 10:20  (00:00)
user2    pts/1        198.51.100.12    Tue May 17 00:54 - 01:33  (00:38)
user3    pts/3        198.51.100.15    Mon May 16 10:13 - 17:54  (07:40)
user2    pts/7        198.51.100.11    Sun May 15 17:28 - 17:41  (00:13)
user1    pts/2        198.51.100.19    Sun May 15 15:08 - 15:19  (00:10)
user3    pts/0        198.51.100.17    Sat May 14 08:29 - 11:15  (02:45)
  ...
  ...
  ...
user1    ttyS0                         Sat May  7 03:51 - 03:53  (00:02)
reboot   system boot  4.5.0-x86_64-lin Sat May  7 03:50   still running

For each login, username, terminal, IP address, date and times of login and logout and the session time are printed. The line for pseudo-user reboot gives the time of system boot.

3.2 lastb

lastb gives the history of failed logins.

$ sudo lastb
admin    ssh:notty    203.0.113.252    Wed May  4 05:17 - 05:17  (00:00)
UNKNOWN  ttyS0                         Tue May  3 16:48 - 16:48  (00:00)

btmp begins Tue May  3 16:48:02 2016

3.3 last -f filename

With the -f option , we can use a different input file. The -R option suppresses the display of hostname.

$ last -R -f /var/log/wtmp.1
user1    :0           Fri Apr 29 05:46 - down   (00:20)
reboot   system boot  Fri Apr 29 05:46 - 06:07  (00:21)
guest-8S :1           Thu Apr 28 20:53 - 21:15  (00:21)
   ...

3.4 last -n num

The -n num option limits the output to the first num lines. We can skip -n and say last -num and get the same output.

3.5 last -F

The -F option is for the printing of full login and logout dates and times.

3.6 last -a

with the -a option, we get the hostname in the last column.

3.7 last -d

-d displays the hostname instead of its IP address. For example,

$ last -5  -F -a -d
user1    pts/0        Wed May 18 00:27:06 2016   still logged in                       arbt-equat-dynamic-198.51.100.19.expressbroadband.com
user1    ttyS0        Wed May 18 00:26:11 2016 - Wed May 18 00:26:42 2016  (00:00)     0.0.0.0
user1    pts/0        Tue May 17 17:12:26 2016 - Tue May 17 17:20:32 2016  (00:08)     arbt-equat-dynamic-198.51.100.19.expressbroadband.com
user1    ttyS0        Tue May 17 17:11:26 2016 - Tue May 17 17:11:57 2016  (00:00)     0.0.0.0
user1    pts/0        Tue May 17 10:26:14 2016 - Tue May 17 12:02:32 2016  (01:36)     arbt-equat-dynamic-198.51.100.19.expressbroadband.com

3.8 last -i

The -i option causes prining of user's IP address in numbers and dots notation.

3.9 last user

If a username is passed as a command line parameter, the login data for that user is printed.

$ last alice -5 -a -i
alice   pts/0        Wed May 18 06:54   still logged in    198.51.100.17
alice   pts/0        Wed May 18 00:27 - 01:00  (00:33)     203.0.113.168
alice   ttyS0        Wed May 18 00:26 - 00:26  (00:00)     0.0.0.0
alice   pts/0        Tue May 17 17:12 - 17:20  (00:08)     198.51.100.15
alice   ttyS0        Tue May 17 17:11 - 17:11  (00:00)     0.0.0.0