Lesser known linux commands : last, lastb

last

last is a linux command which tells login history. We can use this to know when a person logged in and logged out.
Let us look at some examples to understand

$ last


———reboot   system boot  2.6.26-1-686     Wed Jun  8 09:20 – 18:15  (08:54)
ram      pts/9        :0.0             Tue Jun  7 17:44 – 17:44  (00:00)
ram      pts/9        :0.0             Tue Jun  7 15:30 – 15:32  (00:01)
ram      pts/9        :0.0             Tue Jun  7 14:26 – 14:27  (00:00)
ram      pts/8        :0.0             Tue Jun  7 14:26 – down   (03:28)
ram      pts/8        :0.0             Tue Jun  7 14:22 – 14:22  (00:00)
ram      pts/8        :0.0             Tue Jun  7 12:04 – 12:31  (00:26)
ram      pts/7        :0.0             Tue Jun  7 11:28 – 17:54  (06:26)
ram      pts/6        :0.0             Tue Jun  7 11:27 – 17:54  (06:27)
ram      pts/2        :0.0             Tue Jun  7 10:40 – 17:54  (07:14)
ram      pts/5        :0.0             Tue Jun  7 10:10 – 17:55  (07:45)
ram      pts/4        :0.0             Tue Jun  7 10:09 – 17:55  (07:45)
ram      pts/3        :0.0             Tue Jun  7 10:09 – 17:55  (07:46)
ram      pts/1        :0.0             Tue Jun  7 10:02 – down   (07:53)
ram      pts/1        :0.0             Tue Jun  7 09:57 – 10:01  (00:04)
ram      pts/2        :0.0             Tue Jun  7 09:37 – 10:18  (00:41)
ram      pts/1        :0.0             Tue Jun  7 09:36 – 09:41  (00:05)
ram      pts/0        :0.0             Tue Jun  7 09:27 – down   (08:27)
ram      tty7         :0               Tue Jun  7 09:27 – down   (08:27)
reboot   system boot  2.6.26-1-686     Tue Jun  7 09:24 – 17:55  (08:30)
ram      pts/11       :0.0             Mon Jun  6 18:23 – down   (00:07)


This produces history of users. The columns are
1.username
2.the tty attached to the process
3.X-Display (in case of un-attached process it will give kernel version) or hostname
4.login time
5. log out time
6. duration
It gets data from /var/log/wtmp.
This command has several useful options. You can get a specific user’s history by giving that as argument
like

$ last root


root     pts/13       rhservernew      Fri Jun 10 15:05 – 15:12  (00:06)

wtmp begins Wed Jun  1 09:50:35 2011


last adds a pseudo user ‘reboot’ every time  system boots. So if you want to see your booting history you

$last reboot


reboot   system boot  2.6.26-1-686     Sun Jun 26 06:57 – 07:22  (00:25)
reboot   system boot  2.6.26-1-686     Sun Jun 26 05:40 – 05:54  (00:13)
reboot   system boot  2.6.26-1-686     Sat Jun 25 19:53 – 20:12  (00:19)
reboot   system boot  2.6.26-1-686     Sat Jun 25 15:21 – 15:48  (00:27)
reboot   system boot  2.6.26-1-686     Sat Jun 25 10:19 – 12:22  (02:03)
reboot   system boot  2.6.26-1-686     Fri Jun 24 09:33 – 17:50  (08:17)
reboot   system boot  2.6.26-1-686     Thu Jun 23 08:59 – 18:05  (09:06)
reboot   system boot  2.6.26-1-686     Wed Jun 22 09:05 – 18:11  (09:06)
reboot   system boot  2.6.26-1-686     Tue Jun 21 09:15 – 18:08  (08:53)
reboot   system boot  2.6.26-1-686     Mon Jun 20 09:06 – 18:18  (09:11)
reboot   system boot  2.6.26-1-686     Fri Jun 17 09:09 – 16:44 (1+07:35)
reboot   system boot  2.6.26-1-686     Wed Jun 15 09:09 – 17:54 (1+08:45)
reboot   system boot  2.6.26-1-686     Tue Jun 14 08:54 – 17:54  (09:00)
reboot   system boot  2.6.26-1-686     Sat Jun 11 09:52 – 13:10  (03:18)
reboot   system boot  2.6.26-1-686     Sat Jun 11 09:22 – 09:46  (00:23)
reboot   system boot  2.6.26-1-686     Fri Jun 10 09:31 – 18:03  (08:31)
reboot   system boot  2.6.26-1-686     Thu Jun  9 09:09 – 18:04  (08:54)
reboot   system boot  2.6.26-1-686     Wed Jun  8 09:20 – 18:15  (08:54)
reboot   system boot  2.6.26-1-686     Tue Jun  7 09:24 – 17:55  (08:30)
reboot   system boot  2.6.26-1-686     Mon Jun  6 09:21 – 18:30  (09:08)
reboot   system boot  2.6.26-1-686     Sat Jun  4 07:50 – 15:11  (07:21)


It has many other useful options like ipnumber etc.

lastb

Like last lastb gives login history but of failed attempts. We can use this to audit all failed attempts to login

$ lastb


(unknown tty7         :0               Sat Jun 25 15:21 – 15:21  (00:00)
(unknown tty7         :0               Fri Jun 24 09:34 – 09:34  (00:00)
(unknown tty7         :0               Thu Jun 23 08:59 – 08:59  (00:00)


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: