How to Use the last Command on Linux

Share

Fatmawati Achmad Zaenuri/Shutterstock.com

Who, when, and from where? Good security practices say you should know who’s been accessing your Linux computer. We show you how.

The wtmp File

Linux and other Unix-like operating systems such as MacOS are very good at logging. Somewhere in the bowels of the system, there is a log for just about everything you can think of. The log file we’re interested in is called wtmp. The “w” might stand for “when” or “who”—no one seems to agree. The “tmp” part probably stands for “temporary,” but it might also stand for “timestamp.”

What we do know is that wtmp is a log that captures and records every login and logout event. Reviewing the data in the wtmp log is a basic step in taking a security-minded approach to your system admin duties. For a typical family computer, it might not be so critical from a security perspective, but it is interesting to be able to review your combined use of the computer.

Unlike many of the text-based log files in Linux, wtmp is a binary file. To access the data within it, we need to use a tool designed for that task.

That tool is the last command.

The last Command

The last command reads data from the wtmp log and displays it in a terminal window.

If you type last and press Enter it will display all of the records from the log file.

last

last command in a terminal window

Each record from wtmp is displayed in the terminal window.

Read the remaining 62 paragraphs

Source : How to Use the last Command on Linux