Linux last and lastb command

Updated: 04/26/2017 by Computer Hope

About last and lastb

Show listing of the most recently logged in users.

Description

last searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since that file was created. Names of users and tty's can be given, in which case last will show only those entries matching the arguments. Names of ttys can be abbreviated, thus last 0 is the same as last tty0.

When last catches a SIGINT signal (generated by the interrupt key, usually control-C) or a SIGQUIT signal (generated by the quit key, usually control-\), last will show how far it has searched through the file; in the case of the SIGINT signal, last will then terminate.

The pseudo-user "reboot" logs in each time the system is rebooted. Thus last reboot will show a log of all reboots since the log file was created.

lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts.

lastb and last syntax

last [-R] [-num] [ -n num ] [-adFiowx] [ -f file ] [ -t YYYYMMDDHHMMSS ] [
     name...] [tty...]
lastb [-R] [-num] [ -n num ] [ -f file ] [-adFiowx] [name...] [tty...]

Options

-f file Tells last to use a specific file instead of /var/log/wtmp.
-num This is a count telling last how many lines to show.
-n num same as above; display num lines.
-t YYYYMMDDHHMMSS Display the state of logins as of the specified time. This is useful, e.g., to determine easily who was logged in at a particular time; specify that time with -t and look for "still logged in".
-R Suppresses the display of the hostname field.
-a Display the hostname in the last column. Useful in combination with the flag -d.
-d For non-local logins, Linux stores not only the host name of the remote host but its IP number as well. This option translates the IP number back into a hostname.
-F Print full login and logout times and dates.
-i This option is like -d in that it displays the IP number of the remote host, but it displays the IP number in numbers-and-dots notation.
-o Read an old-type wtmp file (written by linux-libc5 applications).
-w Display full user and domain names in the output.
-x Display the system shutdown entries and run level changes.

lastb and last examples

last

Running last with no arguments will display results similar to the example below. Each line starts with the account name (in this case "root" and "mrhope").

root 	pts/1 	55.98.0.130 		Fri Nov 14 18:52 - 22:16 (03:23)
root 	pts/0 	c-57-161-249-108 	Fri Nov 14 05:45 - 03:09 (1+21:23)
mrhope 	pts/0 	c-57-161-249-109 	Wed Nov 12 06:51 - 03:14 (1+20:22)
root 	pts/1 	c-57-161-249-108 	Tue Nov 11 19:53 - 05:03 (09:09)
root 	pts/1 	55.98.0.130 		Wed Nov 5 07:35 - 11:14 (03:39)
root 	pts/0 	c-57-161-249-108 	Wed Nov 5 06:20 - 21:10 (6+14:49)
root 	pts/0 	55.98.0.130 		Tue Nov 4 13:32 - 14:02 (00:30)
root 	tty7 				Tue Nov 4 12:24 - down (31+12:37)
last reboot | less

Display last reboot times similiar to the example below.

reboot   system boot  3.6.12-502.el6.x Sun May 31 03:59 - 12:01  (08:02)
reboot   system boot  3.6.12-502.el6.x Fri May 29 07:17 - 12:01 (2+04:43)
reboot   system boot  3.6.12-502.el6.x Wed May 27 02:37 - 12:01 (4+09:23)
reboot   system boot  3.6.12-502.el6.x Tue May 26 16:42 - 16:43  (00:00)
reboot   system boot  3.6.12-502.el6.x Tue May  5 22:04 - 16:41 (20+18:36)
last -x | less

Display last shutdown times similiar to the example below.

root     pts/0        c-124-12-121-132 Sun May 31 10:17   still logged in
runlevel (to lvl 3)   3.6.12-502.el6.x Sun May 31 03:59 - 12:02  (08:03)
reboot   system boot  3.6.12-502.el6.x Sun May 31 03:59 - 12:02  (08:03)
root     pts/0        c-124-12-121-132 Fri May 29 07:42 - crash (1+20:16)
root     pts/0        control.comphope Fri May 29 07:24 - 07:27  (00:03)
runlevel (to lvl 3)   3.6.12-502.el6.x Fri May 29 07:17 - 03:59 (1+20:41)
reboot   system boot  3.6.12-502.el6.x Fri May 29 07:17 - 12:02 (2+04:45)
root     pts/1        c-124-12-121-132 Thu May 28 01:25 - crash (1+05:51)
hope     pts/0        c-124-12-121-132 Wed May 27 03:18 - crash (2+03:59)
runlevel (to lvl 3)   3.6.12-502.el6.x Wed May 27 02:37 - 07:17 (2+04:39)
reboot   system boot  3.6.12-502.el6.x Wed May 27 02:37 - 12:02 (4+09:25)
shutdown system down  3.6.12-502.el6.x Tue May 26 16:43 - 02:37  (09:54)

who — Report which users are logged in to the system.