Built-in audit tracking tool in Linux: last Command

If you are a server administrator, you may know that you want to protect your server, not only from the outside, but also from the inside. Linux has a built-in tool to view the users who finally log on to the server, which can help you protect the server.

This command is last. It is very useful for tracking. Let's take a look at what last can do for you.

What is the function of last command?

Last displays all login (and logout) Users created from the/var/log/wtmp file. This file is a binary file and cannot be viewed by a text editor, such as vi, Joe, or other software. This is very useful because users (or root) cannot modify the file as they wish.

Last, the username, tty, IP address (if the user is remotely connected), date-time, and the time when the user has logged on are provided.

How to run last

You only need to enter last in the console. This is an example:

$ lastleni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)pungki tty1 Mon Dec 2 09:31 still logged inreboot system boot 2.6.32-358.23.2 Mon Dec 2 09:20 - 13:25 (04:05) 

Here is how to read the last message:

• The first column tells users

• The second column shows how the user connects.

  • Pts/0 (Pseudo Terminal) means remote connection from users such as SSH or telnet
  • Tty (teletypewriter) means that the user is directly connected to a computer or a local user.
  • Except for the restart activity, all statuses are displayed at startup.

• The third column shows where the user came from. If the user is from a remote computer, you will see a host name or IP address. If you see: 0.0 or nothing, it means that the user is connected through a local terminal. In addition to the restart activity, the kernel version is displayed in the status.

• The remaining columns show when log activity occurs. The numbers in the brackets tell us how many hours and minutes the connection lasted.

Examples of last in daily operations

Limit the number of rows displayed

When you have many rows to display, you can limit the number of rows you want to see. Use the-n parameter to do this.

$ last -n 3leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)pungki tty1 Mon Dec 2 09:31 still logged inreboot system boot 2.6.32-358.23.2 Mon Dec 2 09:20 - 13:25 (04:05)

The-n parameter will display the last three records from the current time to the future.

Do Not Display Host Name

Use the-R parameter to do this. Here is an example:

$ last -Rleni pts/0 Mon Dec 2 12:32 - 13:25 (00:53)pungki tty1 Mon Dec 2 09:31 still logged inreboot system boot Mon Dec 2 09:20 - 13:25 (04:05)

As you can see, there is no host or IP address information.

Host name displayed in the last column

To do this, we use the-a parameter.

$ last -aleni pts/0 Mon Dec 2 12:32 - 13:25 (00:53) 10.0.76.162pungki tty1 Mon Dec 2 09:31 still logged in :0.0reboot system boot Mon Dec 2 09:20 - 13:25 (04:05) 2.6.32-358.23.2.el6.i686

Currently, host information such as 10.0.76.162 is placed in the last column.

Display the full logon logout time and date

You can use the-F parameter for this purpose. This is an example:

$ last -Fleni pts/0 10.0.76.162 Mon Dec 2 12:32:24 2013 – Mon Dec 2013 13:25:24 2013 (00:53)

Print a specific user name

If you want to track a specific user, you can print it out. Enter the user name after the last command.

$ last lenileni tty1 Mon Dec 2 18-42 still logged inleni pts/0 Mon Dec 2 12:32 - 13:25 (00:53) 10.0.76.162

Or you want to know when reboot is finished, you can display it like this:

$ last rebootreboot system boot Mon Dec 2 09:20 - 16:55 (07:34)reboot system boot Sun Dec 1 04:26 - 04:27 (00:01)reboot system boot Wed Nov 27 20:27 - 01:24 (04:57)reboot system boot Tue Nov 26 21:06 - 06:13 (09:06)

Print specific/pts

Last can also print the information of specific tty/pts. You only need to enter the tty name or pty name after the last command.

Here are some examples:

$ last tty1pungki tty1 Mon Dec 2 09:31 still logged inpungki tty1 Mon Dec 2 04:26 – down (00:00)pungki tty1 Mon Dec 2 04:07 – down (00:00)pungki tty1 Sun Dec 1 18:55 – 04:07 (09:12)$ last pts/0leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)pungki pts/0 :0.0 Wed Nov 27 20:28 – down (04:56)

When you see the value of down-for example, the second line above, it means that the user logs on from a certain time until the system is restarted or shut down.

Use another file instead of/var/log/wtmp

By default, the last command parses information from/var/log/wtmp. If you want to parse the last command from another file, you can use the-f parameter. For example, after the log is cut, let's assume that the previous file name is/var/log/wtmp.1 after the cut. The last command will look like this.

$ last -f /var/log/wtmp.1

Show running level changes

Here there is a-x parameter to show the running level. Sample output:

pungki tty1 Mon Dec 2 19:21 still logged inrunlevel (to lvl 3) 2.6.32-358.23.2 Mon Dec 2 19:20 – 19:29 (00:08)reboot system boot 2.6.32-358.23.2 Mon Dec 2 19:20 – 19:29 (00:08)shutdown system down 2.6.32-358.23.2 Mon Dec 2 18:56 – 19:20 (00:23)runlevel (to lvl 0) 2.6.32-358.23.2 Mon Dec 2 18:56 – 18:56 (00:00)leni tty1 Mon Dec 2 18:42 – down (00:00) 

You can see that there are two running levels. The entry for running level to lvl 3 means that the system runs in the full Console mode, not in X window or GUI. At the same time, when the system is shut down, it is actually switched to the running level 0, which is why the last to lvl 0 is displayed.

View logon failures

The last command records Successful Logon, while the lastb Command records failed logon attempts. You must have the root permission to run the lastb command. Here is an example of lastb command output. Lastb parses/var/log/btmp information.

# lastbleni tty1 Mon Dec 2 22:12 – 22:12 (00:00)rahma tty1 Mon Dec 2 22:11 – 22:11 (00:00) 

Cut log

Because/var/log/wtmp records every login activity, the file size may increase rapidly. By default, Linux will cut/var/log/wtmp/every month /. The cut policy is placed in the/etc/logrotate. conf file. Here is the content of my/etc/logrotate. conf * file.

/var/log/wtmp {monthlycreate 0664 root umtpminsize 1Mrotate 1}

For/var/log/btmp, here is the default switch activity Configuration

/var/log/btmp {missingokmonthlycreate 0600 root umtpminsize 1Mrotate 1}

You can modify it as needed.

Summary

You can use these parameters to customize the output of last and lastb. All parameters that can run the last command can be run on the lastb command. For more details, enter man last in the console.

Via: http://linoxide.com/linux-command/linux-last-command/

Translator: geekpi Proofreader: wxy