Built-in audit tracking tool in Linux: last Command

If you are a server administrator, you may know that you want to protect your server, not only from the outside, but also from the inside. Linux has a built-in tool to view the users who finally log on to the server, which can help you protect the server. This command is last. It is used to track non-Linux commands.

If you are a server administrator, you may know that you want to protect your server, not only from the outside, but also from the inside. Linux has a built-in tool to view the users who finally log on to the server, which can help you protect the server.

This command is last. It is very useful for tracking. Let's take a look at what last can do for you.

What is the function of last Command?

Last displays all login (and logout) users created from the/var/log/wtmp file. This file is a binary file and cannot be viewed by a text editor, such as vi, Joe, or other software. This is very useful because users (or root) cannot modify the file as they wish.

Last, the username, tty, IP address (if the user is remotely connected), date-time, and the time when the user has logged on are provided.

How to run last

You only need to enter last in the console. This is an example:

$ lastleni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)pungki tty1 Mon Dec 2 09:31 still logged inreboot system boot 2.6.32-358.23.2 Mon Dec 2 09:20 - 13:25 (04:05) 

Here is how to read the last message:

• The first column tells users

• The second column shows how the user connects.

  • Pts/0 (pseudo terminal) means remote connection from users such as SSH or telnet
  • Tty (teletypewriter) means that the user is directly connected to a computer or a local user.
  • Except for the restart activity, all statuses are displayed at startup.

• The third column shows where the user came from. If the user is from a remote computer, you will see a host name or IP address. If you see: 0.0 or nothing, it means that the user is connected through a local terminal. In addition to the restart activity, the kernel version is displayed in the status.

• The remaining columns show when log activity occurs. The numbers in the brackets tell us how many hours and minutes the connection lasted.

Examples of last in daily operations

Limit the number of rows displayed

When you have many rows to display, you can limit the number of rows you want to see. use the-n parameter to do this.

$ last -n 3leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 (00:53)pungki tty1 Mon Dec 2 09:31 still logged inreboot system boot 2.6.32-358.23.2 Mon Dec 2 09:20 - 13:25 (04:05)

The-n parameter will display the last three records from the current time to the future.

Do not display host name

Use the-R parameter to do this. Here is an example:

$ last -Rleni pts/0 Mon Dec 2 12:32 - 13:25 (00:53)pungki tty1 Mon Dec 2 09:31 still logged inreboot system boot Mon Dec 2 09:20 - 13:25 (04:05)

As you can see, there is no host or IP address information.

Host name displayed in the last column

To do this, we use the-a parameter.

$ last -aleni pts/0 Mon Dec 2 12:32 - 13:25 (00:53) 10.0.76.162pungki tty1 Mon Dec 2 09:31 still logged in :0.0reboot system boot Mon Dec 2 09:20 - 13:25 (04:05) 2.6.32-358.23.2.el6.i686

Currently, host information such as 10.0.76.162 is placed in the last column.