Friday, January 4, 2013

Last: Records User Logins And Last Reboots


"last" command is of the many gems that have some great use under de Linux System Administration.

"last" searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since that file was created. Names of users and tty’s can be given, in which case last will show only those entries matching the arguments. Names of ttys can be abbreviated, thus last 0 is the same as last tty0.

When "last" catches a SIGINT signal (generated by the interrupt key, usually control-C) or a SIGQUIT signal (generated by the quit key, usually control-\), last will show how far it has searched through the file; in the case of the SIGINT signal last will then terminate.

The pseudo user reboot logs in each time the system is rebooted. Thus last reboot will show a log of all reboots since the log file was created.

[root@anneke ~]# last reboot
reboot system boot 2.6.32-279.14.1. Wed Dec 19 07:41 – 07:44 (00:03)
reboot system boot 2.6.32-279.14.1. Tue Dec 18 08:37 – 07:44 (23:07)
reboot system boot 2.6.32-279.14.1. Fri Dec 14 09:08 – 07:44 (4+22:36)
reboot system boot 2.6.32-279.14.1. Thu Dec 13 08:49 – 07:44 (5+22:54)
reboot system boot 2.6.32-279.5.2.e Thu Dec 6 03:33 – 05:17 (01:43)
reboot system boot 2.6.32-279.5.2.e Fri Nov 30 03:51 – 04:58 (01:07)
wtmp begins Thu Sep 6 11:38:08 2012
[root@anneke ~]#

or

[root@anneke ~]# last reboot | head -1
reboot system boot 2.6.32-279.14.1. Wed Dec 19 07:41 – 07:47 (00:06)
we can also check the shutdown info like :
[root@anneke ~]# last shutdown
wtmp begins Thu Sep 6 11:38:08 2012
[root@anneke ~]#

More Examples:

To list all user id login successfully:
# last

To list all user id failed login:
# lastb

To list all ip address:
# last -R or # lastb –R

A Real life scenario: How to use ‘last’ command to list users logged in during past few days. For example if i want to get the list of users logged in (and might be logged out after some time) from 15th Dec 2006 to 14th April 2007

# last | sed -n ‘/Apr[ ]*14/,/Dec[ ]*15/p’ | sed ‘/Dec[ ]*15/d’

How To clear last command history:
# > /var/log/wtmp or # > /var/log/lastlog

Thanks for the tips to: http://www.expertslogin.com