last Command in Linux

Introduction

In this hands-on lab, delve into the power of the last command within Linux. This essential tool enables system administrators to display a log of recent user logins. You'll uncover its primary function, dissect its output, and meticulously analyze individual entries. This tutorial will teach you how to leverage various command options to tailor the output, providing critical insights into user login patterns and system reboot history. Mastering the last command is crucial for effective Linux system administration and security auditing.

This lab offers practical exercises and detailed guidance, empowering you to efficiently utilize the last command for comprehensive user and permission management within any Linux environment. Enhance your systemadmin skills now!

Understand the Purpose of the last Command

This segment focuses on the core purpose of the last command in Linux. The last command is your go-to utility for retrieving information about recent user login activity, encompassing the username, the specific terminal used for the session, the precise login timestamp, and the corresponding logout time. This command is invaluable for monitoring system access and identifying potential security anomalies.

To execute the last command, simply type the following in your terminal:

last

Example output:

labex   pts/0        172.17.0.1     Fri Mar 31 10:23   still logged in
labex   pts/0        172.17.0.1     Fri Mar 31 10:22 - 10:23  (00:00)
labex   pts/0        172.17.0.1     Fri Mar 31 10:21 - 10:22  (00:01)
labex   pts/0        172.17.0.1     Fri Mar 31 10:20 - 10:21  (00:01)
reboot  system boot  4.15.0-162-generic Fri Mar 31 10:20 - 10:23  (00:03)

The output reveals a history of user logins, detailing the user, the terminal connection, the associated IP address, login initiation time, and session termination time. A reboot entry indicates the last instance of system restart. Essential for root cause analysis!

Further refine your search by specifying usernames or terminals. For example, to isolate login records for the user labex, use:

last labex

This focused query will display only login/logout events related to the specified user, labex.

Explore the last Command Output

This section will demonstrate the last command's versatility by exploring its various options and output formats. Mastering these options will allow for precise data retrieval.

The last command offers a suite of options to customize the output. Key options include:

• -n <number>: Limits the output to the last <number> entries, promoting efficient data review.
• -x: Incorporates system shutdown and reboot events into the output, expanding the scope of the log.
• -i: Shows the IP address associated with each user login, crucial for network-based security monitoring.
• -R: Suppresses the hostname field from the output, simplifying log readability if the hostname isn't required.

Let's put these options into practice:

last -n 3

Example output:

labex   pts/0        172.17.0.1     Fri Mar 31 10:23   still logged in
labex   pts/0        172.17.0.1     Fri Mar 31 10:22 - 10:23  (00:00)
labex   pts/0        172.17.0.1     Fri Mar 31 10:21 - 10:22  (00:01)

This presents the most recent three login entries, streamlining review.

last -x

Example output:

labex   pts/0        172.17.0.1     Fri Mar 31 10:23   still logged in
labex   pts/0        172.17.0.1     Fri Mar 31 10:22 - 10:23  (00:00)
labex   pts/0        172.17.0.1     Fri Mar 31 10:21 - 10:22  (00:01)
reboot  system boot  4.15.0-162-generic Fri Mar 31 10:20 - 10:23  (00:03)

The -x option adds the system reboot record to the output, providing a more complete history.

last -i

Example output:

labex   pts/0        172.17.0.1     Fri Mar 31 10:23   still logged in
labex   pts/0        172.17.0.1     Fri Mar 31 10:22 - 10:23  (00:00)
labex   pts/0        172.17.0.1     Fri Mar 31 10:21 - 10:22  (00:01)
reboot  system boot  4.15.0-162-generic Fri Mar 31 10:20 - 10:23  (00:03)

The -i option displays the IP address for each login, assisting in network-based investigations.

Experiment with different options to fully understand their impact on the output. This hands-on experience is key to mastering the last command.

Analyze Specific last Command Entries

Here, you'll learn to dissect the output of the last command, extracting valuable information from individual entries. This is a crucial skill for security auditing and troubleshooting.

The last command provides detailed information for each login session, including username, terminal, IP address, login time, and logout time. Use this data to investigate user activities or system anomalies effectively.

For example, let's examine the login history for the user labex:

last labex

Example output:

labex   pts/0        172.17.0.1     Fri Mar 31 10:23   still logged in
labex   pts/0        172.17.0.1     Fri Mar 31 10:22 - 10:23  (00:00)
labex   pts/0        172.17.0.1     Fri Mar 31 10:21 - 10:22  (00:01)
labex   pts/0        172.17.0.1     Fri Mar 31 10:20 - 10:21  (00:01)

The output reveals that labex logged in four times today. The first three sessions were brief. The fourth session, initiated at 10:23, remains active.

You can further refine your analysis by specifying both the username and terminal. For example:

last labex pts/0

Example output:

labex   pts/0        172.17.0.1     Fri Mar 31 10:23   still logged in
labex   pts/0        172.17.0.1     Fri Mar 31 10:22 - 10:23  (00:00)
labex   pts/0        172.17.0.1     Fri Mar 31 10:21 - 10:22  (00:01)
labex   pts/0        172.17.0.1     Fri Mar 31 10:20 - 10:21  (00:01)

This shows only login sessions for labex on the pts/0 terminal, isolating relevant events. This level of detail is critical for comprehensive system monitoring.

By thoroughly analyzing the last command output, you gain valuable insights into user activity and system events, essential for troubleshooting, security monitoring, and effective system administration. Protect your Linux system with the power of last.

Summary

In this lab, we explored the purpose of the last command in Linux. This command displays information about the last users who logged into the system, including their username, terminal, login time, and logout time. We also examined various options and output formats, such as limiting the number of displayed entries, including shutdown and reboot information, displaying IP addresses, and omitting hostnames.

The last command is an invaluable asset for system administrators and users to monitor login/logout activities and system events like reboots. Through understanding and utilizing the last command effectively, you can gain critical insights into your Linux system's usage and history. Enhance your systemadmin capabilities and ensure system security!

Tác giả

Tôi là một chuyên gia System Administrator (SysAdmin) & DevOps Engineer với hơn 10 năm kinh nghiệm trong lĩnh vực quản trị hệ thống, bảo mật mạng, và tối ưu hạ tầng Cloud. Tôi đã từng làm việc tại các tập đoàn công nghệ lớn và tham gia triển khai nhiều hệ thống High Availability (HA), Load Balancing, Database, container và CI/CD giúp doanh nghiệp hoạt động ổn định với hiệu suất cao. Bài này tôi viết với thời gian đọc khoảng 5 phút. I also wrote a Vietnamese version.