Both last and lastb are commands that show the logins of users on the system. The difference lies in the fact that lastb shows the bad logins attempts recorded in /var/log/btmp, whereas last uses /var/log/wtmp which records only successful ones. Let’s see the information they show and options that can be used by example.
The last command without any flags shows username, terminal, hostname the login originated from and time.
root:~> last
marc pts/1 :0 Mon Oct 26 19:59 still logged in
marc pts/2 :0 Wed Oct 21 20:27 - 17:57 (4+22:29)
marc pts/1 :0 Wed Oct 21 20:22 - 19:59 (5+00:36)
marc pts/4 :0 Sat Oct 17 21:33 - 20:27 (3+22:54)
marc pts/2 :0 Fri Oct 16 10:16 - 20:21 (5+10:04)
marc pts/0 :0 Thu Oct 15 15:40 still logged in
marc :0 192.168.122.194 Thu Oct 15 15:39 still logged in
(unknown :0 :0 Thu Oct 15 15:39 - 15:39 (00:00)
reboot system boot 4.1.8100.fc21.x Thu Oct 15 15:39 still running
marc :0 :0 Thu Oct 15 15:34 - 15:34 (00:00)
(unknown :0 :0 Thu Oct 15 15:34 - 15:34 (00:00)
reboot system boot 4.1.8100.fc21.x Thu Oct 15 15:33 - 15:34 (00:01)
marc pts/4 :0 Tue Sep 29 09:45 - 15:33 (16+05:48)
marc pts/3 :0 Tue Sep 29 09:29 - 15:33 (16+06:03)
marc pts/2 :0 Mon Sep 28 09:05 - 10:14 (16+01:08)
[…]
reboot system boot 3.17.4301.fc21. Wed Apr 29 22:08 - 17:16 (19:08)
.
wtmp begins Wed Apr 29 22:08:11 2015
The hostname is truncated by default so we might want it shown in the last position to get the full name:
root:~> last –hostlast
marc pts/1 Mon Oct 26 19:59 still logged in :0
marc pts/2 Wed Oct 21 20:27 - 17:57 (4+22:29) :0
marc pts/1 Wed Oct 21 20:22 - 19:59 (5+00:36) :0
marc pts/4 Sat Oct 17 21:33 - 20:27 (3+22:54) 192.168.122.194
marc pts/3 Fri Oct 16 15:29 still logged in :0
[…]
reboot system boot Wed Apr 29 22:08 17:16 (19:08) 3.17.4301.fc21.x86_64
.
wtmp begins Wed Apr 29 22:08:11 2015
We can have the hostname shown in IP rather than DNS format:
root:~> last –hostlast –dns
marc pts/1 Mon Oct 26 19:59 still logged in :0
marc pts/2 Wed Oct 21 20:27 - 17:57 (4+22:29) :0
marc pts/1 Wed Oct 21 20:22 - 19:59 (5+00:36) :0
marc pts/4 Sat Oct 17 21:33 - 20:27 (3+22:54) sl11ora112
marc pts/3 Fri Oct 16 15:29 still logged in :0
[…]
reboot system boot Wed Apr 29 22:08 17:16 (19:08) 3.17.4301.fc21.x86_64
.
wtmp begins Wed Apr 29 22:08:11 2015
We can have the login and logout timings shown:
root:~> last –hostlast –fulltime
marc pts/1 Mon Oct 26 19:59:34 2015 still logged in :0
marc pts/2 Wed Oct 21 20:27:39 2015 - Mon Oct 26 17:57:20 2015 (4+22:29) :0
marc pts/1 Wed Oct 21 20:22:50 2015 - Mon Oct 26 19:59:30 2015 (5+00:36) :0
marc pts/4 Sat Oct 17 21:33:15 2015 - Wed Oct 21 20:27:28 2015 (3+22:54) :0
marc pts/3 Fri Oct 16 15:29:44 2015 still logged in :0
We can limit the output to n lines and get fullnames for users and DNSes:
root:~> last –hostlast –fullnames –limit 10
marc pts/1 Mon Oct 26 19:59:34 2015 still logged in :0
marc pts/2 Wed Oct 21 20:27:39 2015 - Mon Oct 26 17:57:20 2015 (4+22:29) :0
marc pts/1 Wed Oct 21 20:22:50 2015 - Mon Oct 26 19:59:30 2015 (5+00:36) :0
marc pts/4 Sat Oct 17 21:33:15 2015 - Wed Oct 21 20:27:28 2015 (3+22:54) :0
marc pts/3 Fri Oct 16 15:29:44 2015 still logged in :0
marc pts/3 Fri Oct 16 10:58:58 2015 - Fri Oct 16 15:29:34 2015 (04:30) :0
marc pts/2 Fri Oct 16 10:16:43 2015 - Wed Oct 21 20:21:06 2015 (5+10:04) :0
marc pts/0 Thu Oct 15 15:40:00 2015 still logged in :0
marc :0 Thu Oct 15 15:39:52 2015 still logged in :0
(unknown :0 Thu Oct 15 15:39:33 2015 - Thu Oct 15 15:39:52 2015 (00:00) :0
We can list the users logged in at a certain time or interval …
root:~> last –hostlast –fulltime –present “20151021 22:00”
root:~> last –hostlast –fulltime –since “20151021 21:00” –until “20151021 22:00”
… and finally we can show the runlevel changes and shutdowns:
root:~> last –system | egrep “runlevel|reboot|shutdown”
runlevel (to lvl 5) 4.1.8100.fc21.x Thu Oct 15 15:39 still running
reboot system boot 4.1.8100.fc21.x Thu Oct 15 15:39 still running
shutdown system down 4.1.8100.fc21.x Thu Oct 15 15:34 - 15:39 (00:04)
runlevel (to lvl 5) 4.1.8100.fc21.x Thu Oct 15 15:34 - 15:34 (00:00)
reboot system boot 4.1.8100.fc21.x Thu Oct 15 15:33 - 15:34 (00:01)
shutdown system down 4.1.6100.fc21.x Thu Oct 15 15:33 - 15:33 (00:00)
runlevel (to lvl 5) 4.1.6100.fc21.x Sat Sep 26 17:29 - 15:33 (18+22:03)
reboot system boot 4.1.6100.fc21.x Sat Sep 26 17:29 - 15:33 (18+22:03)
shutdown system down 4.1.6100.fc21.x Sat Sep 26 17:28 - 17:29 (00:00)
runlevel (to lvl 5) 4.1.6100.fc21.x Fri Sep 11 23:04 - 17:28 (14+18:24)
reboot system boot 4.1.6100.fc21.x Fri Sep 11 23:04 - 17:28 (14+18:24)
The lslogins command examines both files (/var/log/btmp & /var/log/wtmp) and is a bit more customisable in terms of output. Executed without any arguments it should show something like this:
root:~> lslogins
. UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
. 0 root 278 0 0 root
. 1 bin 0 0 1 bin
. 2 daemon 0 0 1 daemon
. 3 adm 0 0 1 adm
. 4 lp 0 0 1 lp
. 5 sync 0 0 1 sync
. 6 shutdown 0 0 1 Oct15/15:34 shutdown
. 7 halt 0 0 1 halt
. 8 mail 0 0 1 mail
. 11 operator 0 0 1 operator
. 12 games 0 0 1 games
. 14 ftp 0 0 1 FTP User
. 29 rpcuser 0 0 1 RPC Service User
[…]
65534 nfsnobody 0 0 1 Anonymous NFS User
We can add the -G flag to show group info:
root:~> lslogins -G
. UID USER GID GROUP SUPP-GIDS SUPP-GROUPS
. 0 root 0 root
. 1 bin 1 bin
. 2 daemon 2 daemon
. 3 adm 4 adm
. 4 lp 7 lp
. 5 sync 0 root
. 6 shutdown 0 root
. 7 halt 0 root
. 8 mail 12 mail
. 11 operator 0 root
. 12 games 100 users
. 14 ftp 50 ftp
. 29 rpcuser 29 rpcuser
[…]
65534 nfsnobody 65534 nfsnobody
With the -a flag we can get some password info:
root:~> lslogins -a
. UID USER PWD-WARN PWD-MIN PWD-MAX PWD-CHANGE PWD-EXPIR
. 0 root 7 99999 1969-Dec31
. 1 bin 7 99999 2014-Jun08
. 2 daemon 7 99999 2014-Jun08
. 3 adm 7 99999 2014-Jun08
. 4 lp 7 99999 2014-Jun08
. 5 sync 7 99999 2014-Jun08
. 6 shutdown 7 99999 2014-Jun08
[…]
With the -f flag we get the record of the last failed login attempt:
root:~> lslogins -f
. UID USER FAILED-LOGIN FAILED-TTY
. 0 root
. 1 bin
. 2 daemon
. 3 adm
. 4 lp
. 5 sync
. 6 shutdown
. 7 halt
[…]
.1000 marc Oct16/21:19 :0
.1001 charlie
65534 nfsnobody
If we want to pull data for just one or more users we can do that with the -l flag:
root:~> lslogins -l marc,charlie -f
. UID USER FAILED-LOGIN FAILED-TTY
.1000 marc Oct16/21:19 :0
.1001 charlie
We can also show users by the group they belong to with the -g flag:
root:~> lslogins -g wheel
. UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
.1000 marc 73 0 0 Oct26/19:59 Marc
We can filter logins by system (-s) and user (-u) types:
root:~> lslogins -s
. UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
. 985 ntop 0 0 1 ntop
. 986 setroubleshoot 0 0 1
. 987 nm-openconnect 0 0 1 NetworkManager user for OpenConnect
. 988 gnome-initial-setup 0 0 1
. 989 chrony 1 0 1
. 990 openvpn 0 0 1 OpenVPN
. 991 saslauth 0 0 1 Saslauthd user
. 992 geoclue 0 0 1 User for geoclue
. 993 unbound 0 0 1 Unbound DNS resolver
. 994 colord 1 0 1 User for colord
. 995 polkitd 1 0 1 User for polkitd
. 996 systemd-bus-proxy 0 0 1 systemd Bus Proxy
. 997 systemd-resolve 0 0 1 systemd Resolver
. 998 systemd-network 0 0 1 systemd Network Management
. 999 systemd-timesync 0 0 1 systemd Time Synchronization
root:~> lslogins -u
. UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
. 0 root 278 0 0 root
.1000 marc 72 0 0 Oct26/19:59 Marc
.1001 charlie 0 0 0 Jun10/17:31 Charlie
65534 nfsnobody 0 0 1 Anonymous NFS User
We can display data on last login session with -L:
root:~> lslogins -u -L
. UID USER LAST-TTY LAST-HOSTNAME LAST-LOGIN
. 0 root
.1000 marc pts/1 :0 Oct26/19:59
.1001 charlie :1 :1 Jun10/17:31
And we can add extra password information with -p:
root:~> lslogins -u -L -p
. UID USER LAST-TTY LAST-HOSTNAME LAST-LOGIN PWD-EMPTY PWD-LOCK PWD-DENY NOLOGIN HUSHED
. 0 root 0 0 0 0 0
.1000 marc pts/1 :0 Oct26/19:59 0 0 0 0 0
.1001 charlie :1 :1 Jun10/17:31 0 0 0 0 0
65534 nfsnobody 0 0 1 1 0
If we are going to use lslogins from within scripts, we might need to use –export, –colon-separate,
–newline, –noheadings, –notruncate, –raw or –print0 to get one of the different formats below: