last
last is a linux command which tells login history. We can use this to know when a person logged in and logged out.
Let us look at some examples to understand
$ last
———reboot system boot 2.6.26-1-686 Wed Jun 8 09:20 – 18:15 (08:54)
ram pts/9 :0.0 Tue Jun 7 17:44 – 17:44 (00:00)
ram pts/9 :0.0 Tue Jun 7 15:30 – 15:32 (00:01)
ram pts/9 :0.0 Tue Jun 7 14:26 – 14:27 (00:00)
ram pts/8 :0.0 Tue Jun 7 14:26 – down (03:28)
ram pts/8 :0.0 Tue Jun 7 14:22 – 14:22 (00:00)
ram pts/8 :0.0 Tue Jun 7 12:04 – 12:31 (00:26)
ram pts/7 :0.0 Tue Jun 7 11:28 – 17:54 (06:26)
ram pts/6 :0.0 Tue Jun 7 11:27 – 17:54 (06:27)
ram pts/2 :0.0 Tue Jun 7 10:40 – 17:54 (07:14)
ram pts/5 :0.0 Tue Jun 7 10:10 – 17:55 (07:45)
ram pts/4 :0.0 Tue Jun 7 10:09 – 17:55 (07:45)
ram pts/3 :0.0 Tue Jun 7 10:09 – 17:55 (07:46)
ram pts/1 :0.0 Tue Jun 7 10:02 – down (07:53)
ram pts/1 :0.0 Tue Jun 7 09:57 – 10:01 (00:04)
ram pts/2 :0.0 Tue Jun 7 09:37 – 10:18 (00:41)
ram pts/1 :0.0 Tue Jun 7 09:36 – 09:41 (00:05)
ram pts/0 :0.0 Tue Jun 7 09:27 – down (08:27)
ram tty7 :0 Tue Jun 7 09:27 – down (08:27)
reboot system boot 2.6.26-1-686 Tue Jun 7 09:24 – 17:55 (08:30)
ram pts/11 :0.0 Mon Jun 6 18:23 – down (00:07)
This produces history of users. The columns are
1.username
2.the tty attached to the process
3.X-Display (in case of un-attached process it will give kernel version) or hostname
4.login time
5. log out time
6. duration
It gets data from /var/log/wtmp.
This command has several useful options. You can get a specific user’s history by giving that as argument
like
$ last root
root pts/13 rhservernew Fri Jun 10 15:05 – 15:12 (00:06)
wtmp begins Wed Jun 1 09:50:35 2011
last adds a pseudo user ‘reboot’ every time system boots. So if you want to see your booting history you
$last reboot
reboot system boot 2.6.26-1-686 Sun Jun 26 06:57 – 07:22 (00:25)
reboot system boot 2.6.26-1-686 Sun Jun 26 05:40 – 05:54 (00:13)
reboot system boot 2.6.26-1-686 Sat Jun 25 19:53 – 20:12 (00:19)
reboot system boot 2.6.26-1-686 Sat Jun 25 15:21 – 15:48 (00:27)
reboot system boot 2.6.26-1-686 Sat Jun 25 10:19 – 12:22 (02:03)
reboot system boot 2.6.26-1-686 Fri Jun 24 09:33 – 17:50 (08:17)
reboot system boot 2.6.26-1-686 Thu Jun 23 08:59 – 18:05 (09:06)
reboot system boot 2.6.26-1-686 Wed Jun 22 09:05 – 18:11 (09:06)
reboot system boot 2.6.26-1-686 Tue Jun 21 09:15 – 18:08 (08:53)
reboot system boot 2.6.26-1-686 Mon Jun 20 09:06 – 18:18 (09:11)
reboot system boot 2.6.26-1-686 Fri Jun 17 09:09 – 16:44 (1+07:35)
reboot system boot 2.6.26-1-686 Wed Jun 15 09:09 – 17:54 (1+08:45)
reboot system boot 2.6.26-1-686 Tue Jun 14 08:54 – 17:54 (09:00)
reboot system boot 2.6.26-1-686 Sat Jun 11 09:52 – 13:10 (03:18)
reboot system boot 2.6.26-1-686 Sat Jun 11 09:22 – 09:46 (00:23)
reboot system boot 2.6.26-1-686 Fri Jun 10 09:31 – 18:03 (08:31)
reboot system boot 2.6.26-1-686 Thu Jun 9 09:09 – 18:04 (08:54)
reboot system boot 2.6.26-1-686 Wed Jun 8 09:20 – 18:15 (08:54)
reboot system boot 2.6.26-1-686 Tue Jun 7 09:24 – 17:55 (08:30)
reboot system boot 2.6.26-1-686 Mon Jun 6 09:21 – 18:30 (09:08)
reboot system boot 2.6.26-1-686 Sat Jun 4 07:50 – 15:11 (07:21)
It has many other useful options like ipnumber etc.
lastb
Like last lastb gives login history but of failed attempts. We can use this to audit all failed attempts to login
$ lastb
(unknown tty7 :0 Sat Jun 25 15:21 – 15:21 (00:00)
(unknown tty7 :0 Fri Jun 24 09:34 – 09:34 (00:00)
(unknown tty7 :0 Thu Jun 23 08:59 – 08:59 (00:00)
Posted by ramanchennai 
