Who, when and from where? Good security practices say that you should know who accessed your Linux computer. We show you how.
The wtmp file
Linux and other Unix-like operating systems like MacOS can log very well. Somewhere in the gut of the system there is a log for almost anything you can imagine. The log file we are interested in is called
wtmp . The "w" could stand for "when" or "who" ̵
We know that
wtmp is a protocol that records all log-ins and log-offs. Checking the data in the log
wtmp is a fundamental step for a safety-oriented handling of your system administration tasks. For a typical family computer, security may not be so critical, but it's interesting to be able to verify your combined use of the computer.
Unlike many text-based log files on Linux,
wtmp is a binary file. In order to access the data contained therein, you must use a tool developed for this task.
This tool is the last command .
The last command
The last command
[19459013DerBefehl] reads data from the log
wtmp and displays it in a terminal window.
If you type
last and press Enter, all records from the log file will be displayed.
Each record from
wtmp is displayed in the terminal window.
From left to right, each line contains:  The Username of the person who signed up.
: 0means that they were logged on to the Linux computer itself.
The last line indicates the date and time The earliest recorded session in the log.
Each time the computer is restarted, a logon entry for the fictitious "restart" user is entered in the log. The terminal field is replaced by the kernel version. The duration of the logged-in session for these entries represents the computer's uptime.
Viewing a Specific Number of Lines
load command is used alone, a dump of the entire computer is created one, most of it passing the terminal window. The part that remains visible is the earliest data in the log. This is probably not what you wanted to see.
You can tell
last to assign you a certain number of output lines. Enter the desired number of lines in the command line. Note the hyphen. To display five lines, you must enter
-5 and not
This gives the first five lines of the log, which are the latest data.
Displaying Network Names for Remote Users
The [-19459013] option -d (Domain Name System) splits
last whether to attempt to resolve the IP addresses of remote users to a computer or network name.
It is not always possible for
last to convert the IP address to a network name, but the command will do so do that if possible.
Hiding IP Addresses and Network Names
If you are not interested in the IP address or the network name, use the
-R (no hostname) to suppress this field.
Since this gives a cleaner output without ugly bypasses, this option was used in all the following examples. If you use
last to identify unusual or suspicious activities, you would not suppress this field .
Selecting records by date
You can use the
-s option (since) to limit the output so that only logon events that occurred since a certain date are displayed.
If you only want to view logon events that occurred as of May 26, 2019, use the following command:
last -R -s 2019-05-26
The output shows records with login events that occurred from the time 00:00 on the specified day to the most recent records in the log file.
Search up to an end date
-t (to) you can specify an end date , In this way, you can select a set of credentials that occurred between two relevant dates.
 This command requests
last the logon records from 00:00 (dawn ) on the 26th to 00:00 (dawn) on the 27th and display. This restricts the list to logon sessions that took place on the 26th.
 Time and Date Formats
With the options
-t You can use both time and date formats
last Options that use date and time are (allegedly):
- yyyy-mm-dd hh: mm : ss
- yyy-mm-dd hh: mm – seconds are set to 00
- yyyy-mm-dd – time is set to 00:00:00
- hh: mm: ss – date is on today set
- hh: mm – date is set to today, seconds to 00
- yesterday – the time is set to 00:00:00
- today – the time is at 00:00:00 set
- tomorrow – the time is set to 00:00:00
- + 5min
The second and third formats in the list worked during the research for this article. These commands have been tested on Ubuntu, Fedora and Manjaro distributions. These are derivatives of the distributions Debian, RedHat and Arch. This covers all main families of the Linux distribution.
last -R -s 2019-05-26 11:00 -t 2019-05-27 13:00
As you can see, the command has no records returned at all.
When using the first date and time format from the list with the same date and time as the previous command, records are returned:
last -R -s 20190526110000 -t 20190527130000
Search for relative units
You also specify periods measured in minutes or days. relative to the current date and time. Here we ask for records from two days ago to one day ago.
last -R -s -2days -t -1days
Yesterday, today and today
tomorrow as an abbreviation for yesterday's date and today's date.
last -R -s yesterday -t today
Not that this would contain any records for today. That's the expected behavior. The command requests records from the start date to the end date . It contains no records within the end date.
now The option is the abbreviation for "Today at the Present Time". To view the logon events that have taken place since 00:00 (dawn) to the time you issued the command, use this command:
last -R - s today -t now
All logon events are displayed here, including those that are still logged in.
The current option
With the option
-p (current) you can find out who at a logged in time.
It does not matter when they signed in or out, but if they were logged on to the computer at the specified time, they will be added to the list.
If you specify a time without login ta date
last assumes you mean "today".
last -R -p 09:30
People who are still logged in (obviously) have no logout time; They are described as
still registered . If the computer has not been restarted since the time you specify, it will be listed as
which is still running .
If you use the shorthand
now with the option
-p (present tense), to find out who is logged in at the time the command is issued.
last -R -p now  last -R -p now in a terminal window " width="646" height="57" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/>
This is a somewhat cumbersome way to accomplish what with the command
whocan be reached.
RELATED: Getting the current user account under Linux
The lastb command
LastbCommand deserves mention. It reads data from a log called
btmp. There is a little more agreement about this protocol name. The "b" stands for bad, but the "tmp" part is still controversial.
lastblists the bad ( failed ) login attempts. It accepts the same options as
last. Since the login attempts failed, all entries have a duration of 00:00.
You must use
lastb.sudo lastb -R
The last word in the matter
To know who logged in to your Linux computer and when and where useful information is available , If you combine this with the details of failed login attempts, you'll get started with suspicious behavior investigation.