قالب وردپرس درنا توس
Home / Tips and Tricks / How to Use the Last Command on Linux

How to Use the Last Command on Linux



  Linux laptop with bash solicitation
Fatmawati Achmad Zaenuri / Shutterstock.com

Who, when and from where? Good security practices say that you should know who accessed your Linux computer. We show you how.

The wtmp file

Linux and other Unix-like operating systems like MacOS can log very well. Somewhere in the gut of the system there is a log for almost anything you can imagine. The log file we are interested in is called wtmp . The "w" could stand for "when" or "who" ̵

1; nobody seems to agree. The part "tmp" probably stands for "temporary", but can also stand for "timestamp".

We know that wtmp is a protocol that records all log-ins and log-offs. Checking the data in the log wtmp is a fundamental step for a safety-oriented handling of your system administration tasks. For a typical family computer, security may not be so critical, but it's interesting to be able to verify your combined use of the computer.

Unlike many text-based log files on Linux, wtmp is a binary file. In order to access the data contained therein, you must use a tool developed for this task.

This tool is the last command .

The last command

The last command [19459013DerBefehl] reads data from the log wtmp and displays it in a terminal window.

If you type last and press Enter, all records from the log file will be displayed.

  last 

  last command in a terminal window

Each record from wtmp is displayed in the terminal window.

From left to right, each line contains: [19659016] The Username of the person who signed up.

  • The terminal at which they were registered. A terminal entry of : 0 means that they were logged on to the Linux computer itself.
  • The IP address of the computer on which they were registered.
  • The login time and date stamp.
  • The duration of the session.
  •   Output from the last one in a terminal window.

    The last line indicates the date and time The earliest recorded session in the log.

    Each time the computer is restarted, a logon entry for the fictitious "restart" user is entered in the log. The terminal field is replaced by the kernel version. The duration of the logged-in session for these entries represents the computer's uptime.

    Viewing a Specific Number of Lines

    If the load command is used alone, a dump of the entire computer is created one, most of it passing the terminal window. The part that remains visible is the earliest data in the log. This is probably not what you wanted to see.

    You can tell last to assign you a certain number of output lines. Enter the desired number of lines in the command line. Note the hyphen. To display five lines, you must enter -5 and not 5 :

      last -5 

      last -5 in a terminal window

    This gives the first five lines of the log, which are the latest data.

     The first five lines of twmp in a terminal window

    Displaying Network Names for Remote Users

    The [-19459013] option -d (Domain Name System) splits last whether to attempt to resolve the IP addresses of remote users to a computer or network name.

      last -d 

      last -d in a terminal window

    It is not always possible for last to convert the IP address to a network name, but the command will do so do that if possible.

     output from last -d in a terminal window

    Hiding IP Addresses and Network Names

    If you are not interested in the IP address or the network name, use the -R (no hostname) to suppress this field.

     last -R in a terminal window

    Since this gives a cleaner output without ugly bypasses, this option was used in all the following examples. If you use last to identify unusual or suspicious activities, you would not suppress this field .

     Output of last -R in a terminal window

    Selecting records by date

    You can use the -s option (since) to limit the output so that only logon events that occurred since a certain date are displayed.

    If you only want to view logon events that occurred as of May 26, 2019, use the following command:

      last -R -s 2019-05-26 

      last -R -s 2019-05- 26 in a terminal window

    The output shows records with login events that occurred from the time 00:00 on the specified day to the most recent records in the log file.

     Issue of last -R - s 26/05/2019 in a terminal window

    Search up to an end date

    With -t (to) you can specify an end date , In this way, you can select a set of credentials that occurred between two relevant dates.

     last -R -s 2019-05-26 -t 2019-05-27 in a terminal window [19659006] This command requests last the logon records from 00:00 (dawn ) on the 26th to 00:00 (dawn) on the 27th and display. This restricts the list to logon sessions that took place on the 26th.

     Output from last -Rs 2019-05-26 -t 2019-05-27 in a terminal window [19659009] Time and Date Formats

    With the options -s and -t You can use both time and date formats last Options that use date and time are (allegedly):

    • yyyymmddhhmmss
    • yyyy-mm-dd hh: mm : ss
    • yyy-mm-dd hh: mm – seconds are set to 00
    • yyyy-mm-dd – time is set to 00:00:00
    • hh: mm: ss – date is on today set
    • hh: mm – date is set to today, seconds to 00
    • now
    • yesterday – the time is set to 00:00:00
    • today – the time is at 00:00:00 set
    • tomorrow – the time is set to 00:00:00
    • + 5min
    • -5days

    Why "allegedly"?

    The second and third formats in the list worked during the research for this article. These commands have been tested on Ubuntu, Fedora and Manjaro distributions. These are derivatives of the distributions Debian, RedHat and Arch. This covers all main families of the Linux distribution.

      last -R -s 2019-05-26 11:00 -t 2019-05-27 13:00 

      Output of a failed last command in a terminal window

    As you can see, the command has no records returned at all.

    When using the first date and time format from the list with the same date and time as the previous command, records are returned:

      last -R -s 20190526110000 -t 20190527130000 

      last -R -s 20190526110000 - t 20190527130000 in a terminal window

    Search for relative units

    You also specify periods measured in minutes or days. relative to the current date and time. Here we ask for records from two days ago to one day ago.

      last -R -s -2days -t -1days 

      last -R -s -2days -t -1days in a terminal window

    Yesterday, today and today

    You can yesterday and tomorrow as an abbreviation for yesterday's date and today's date.

      last -R -s yesterday -t today 

      last -R -s yesterday -t today in a terminal window

    Not that this would contain any records for today. That's the expected behavior. The command requests records from the start date to the end date . It contains no records within the end date.

     Issue of the last -R-yesterday -t today in a terminal window

    The now The option is the abbreviation for "Today at the Present Time". To view the logon events that have taken place since 00:00 (dawn) to the time you issued the command, use this command:

      last -R - s today -t now 

      last -R -s today - t now in a terminal window

    All logon events are displayed here, including those that are still logged in.

     Issue of the last -R -s today -t now

    The current option

    With the option -p (current) you can find out who at a logged in time.

    It does not matter when they signed in or out, but if they were logged on to the computer at the specified time, they will be added to the list.

    If you specify a time without login ta date last assumes you mean "today".

      last -R -p 09:30 

      last -R -p 09:30 in a terminal window

    People who are still logged in (obviously) have no logout time; They are described as still registered . If the computer has not been restarted since the time you specify, it will be listed as which is still running .

     Issue of last -R -p 09:30

    If you use the shorthand now with the option -p (present tense), to find out who is logged in at the time the command is issued.

      last -R -p now [19659102] last -R -p now in a terminal window " width="646" height="57" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

    This is a somewhat cumbersome way to accomplish what with the command who can be reached.

     Output from last -R -p now in a terminal window

    RELATED: Getting the current user account under Linux

    The lastb command

    Lastb Command deserves mention. It reads data from a log called btmp . There is a little more agreement about this protocol name. The "b" stands for bad, but the "tmp" part is still controversial.

    lastb lists the bad ( failed ) login attempts. It accepts the same options as last . Since the login attempts failed, all entries have a duration of 00:00.

    You must use sudo with lastb .

      sudo lastb -R 

      lastb-R in a terminal window

    The last word in the matter

    To know who logged in to your Linux computer and when and where useful information is available , If you combine this with the details of failed login attempts, you'll get started with suspicious behavior investigation.




    Source link