last Command: Tutorial & Examples

Display the last logged in users

The last command in Linux is used to display a list of all the last logged in users in the system. It is particularly useful when you need to monitor or troubleshoot security or user-related issues. The last command works by reading the /var/log/wtmp file, which is a binary file that holds data about user logins and logouts, system events and other information. When you execute the last command, it converts this binary data into a human-readable format and displays it in the shell.

Why is it important?

The last command is an essential tool for system administrators, security analysts and anyone else who needs to monitor user activity on a Linux server. It allows you to see who has logged into the system, when they logged in, how long they stayed logged in, and their IP address or hostname. This information can be used to troubleshoot issues, monitor user activity, and improve system security.

How to use the last command?

Using the last command is straightforward. You simply type last into the shell and hit Enter. Here's an example:


This will display a list of all the last logged in users.

There are also a number of options you can use with the last command to customize the output. Here are a few examples:

last -n 5

This command will display the last 5 login sessions.

last -R

This command will display the last login sessions without displaying the hostname or IP address.

last reboot

This command will display a list of all system reboots.

Common command line parameters

Here are some common command line parameters used with the last command:

  • -n or --lines: This option is followed by a number and displays the said number of lines.
  • -R or --no-hostname: This option displays the output without showing the hostname.
  • -a or --hostlast: This option shows the hostname in the last column.
  • -w or --fulltimes: This option shows full login and logout times.

Potential problems and pitfalls

While using the last command is generally safe, there are a few potential pitfalls to be aware of. First, the last command reads data from the /var/log/wtmp file, which is a binary file. If this file becomes corrupted, the output of the last command may be inaccurate or misleading.

Second, the last command only shows a limited history. The length of this history depends on the configuration of your system and the size of the /var/log/wtmp file. If you need to access older login data, you may need to configure your system to retain this data for a longer period of time.

Finally, remember that the last command only shows login sessions. It does not show what actions a user took during their session. If you need this level of detail, you will need to use other tools or techniques.

In conclusion, the last command is a powerful tool for monitoring and troubleshooting user activity on a Linux server. By understanding how to use this command and being aware of its potential pitfalls, you can improve the security and efficiency of your server.

The text above is licensed under CC BY-SA 4.0 CC BY SA