Getting started with Linux: last Command in Linux
The last command is used to list information related to users logging on to the system. Its main parameters include:
(1)-a displays the host name or IP address used to log on to the system on the last line.
(2)-d converts an IP address to a host name.
(3)-f <Record File> specifies the record file.
(4)-n <display Number of columns> or-<display Number of columns>
(5)-R does not display the host name or IP address of the logon System
(6)-x displays information such as system shutdown, restart, and execution grade change.
Linux built-in audit tracking tool-last command
Command introduction:
This command is used to list information about users currently logged on to the system. Command syntax: show listing of last logged in users
Execution permission: Some require special permissions
Command path:/usr/bin/last
When the last command is executed, it reads the file named wtmp in the/var/log directory and displays all the usernames logged on to the system of the file. By default, the wtmp record is displayed. btmp can display more details and display remote logon, such as ssh logon.
The utmp file stores the information of users in the current system.
The wtmp file stores the information of users who have logged on to the system.
Command output fields:
Column 1: User Name
Column 2: terminal location. Pts/0 (Pseudo Terminal) means the user remotely connected from SSH or telnet. tty (teletypewriter) means that the user is directly connected to the computer or local connection.
Column 3: logon ip address or kernel. If you see: 0.0 or nothing, it means that the user is connected through a local terminal. In addition to the restart activity, the kernel version is displayed in the status.
Column 4: Start Time
Column 5: End Time (still login has not exited down until crash is shut down normally until forced shutdown)
Column 6: Duration
Command syntax:
Last [-R] [-num] [-n num] [-adiowx] [-f file] [-t YYYYMMDDHHMMSS] [name...] [tty...]
Command parameters:
Parameters |
Long Parameter |
Description |
- |
|
Displays the host name or IP address that you have logged on to the system in the last line. |
-D |
|
Convert an IP address to a host name |
-F |
|
Specifies the record file. By default, records of wtmp files under the/var/log directory are displayed. However, the content displayed by btmp in the/var/log directory is richer and remote logon is displayed, for example, ssh logon includes failed login requests. |
-I |
|
-I: displays the logon status of a specific ip address. Use-I to display the logon status of a specific ip address. Tracking |
-O |
|
Read an old-type wtmp file (written by linux-libc5 applications ). |
-N |
|
-N <display Number of columns> or-<display Number of columns> |
-W |
|
Display full user and domain names in the output |
-R |
|
The host name or IP address used to log on to the system is not displayed (the hostname field is omitted) |
-T |
|
Display information before YYYYMMDDHHMMSS |
-X |
|
Displays system shutdown, user logon, and logout history |
Example:
1: view the help information of the last command
[Root @ bkjia ~] # Man last
[Root @ bkjia ~] # Last-h
Last: invalid option -- h
Usage: last [-num |-n num] [-f file] [-t YYYYMMDDHHMMSS] [-R] [-x] [-o] [-w] [username ..] [tty...]
2: displays N records of the Last Logon system.
[Root @ bkjia ~] # Last-10
Root pts/1: 0.0 Wed Dec 18 still logged in
Root pts/4: 0.0 Wed Dec 18)
Root pts/1: 0.0 Wed Dec 18)
Root pts/3 192.168.103.79 Wed Dec 18)
Root pts/4: 0.0 Wed Dec 18)
Root pts/3: 0.0 Wed Dec 18)
Root pts/2 192.168.103.29 Wed Dec 18 09:27 still logged in
Root pts/1: 0.0 Wed Dec 18)
Root pts/2: 0.0 Wed Dec 18)
Root pts/1: 0.0 Wed Dec 18)
Wtmp begins Wed Dec 11 03:02:17 2013
[Root @ bkjia ~] # Last-n 10
Root pts/1: 0.0 Wed Dec 18 still logged in
Root pts/4: 0.0 Wed Dec 18)
Root pts/1: 0.0 Wed Dec 18)
Root pts/3 192.168.103.79 Wed Dec 18)
Root pts/4: 0.0 Wed Dec 18)
Root pts/3: 0.0 Wed Dec 18)
Root pts/2 192.168.103.29 Wed Dec 18 09:27 still logged in
Root pts/1: 0.0 Wed Dec 18)
Root pts/2: 0.0 Wed Dec 18)
Root pts/1: 0.0 Wed Dec 18)
Wtmp begins Wed Dec 11 03:02:17 2013
3: display the host name or IP address of the logon system on the last line.
[Root @ bkjia ~] # Last-10-
Root pts/1 Wed Dec 18 still logged in: 0.0
Root pts/4 Wed Dec 18-(): 0.0
Root pts/1 Wed Dec 18-(): 0.0
Root pts/3 Wed Dec 18-() 192.168.103.79
Root pts/4 Wed Dec 18-(): 0.0
Root pts/3 Wed Dec 18-(): 0.0
Root pts/2 Wed Dec 18 still logged in 192.168.103.29
Root pts/1 Wed Dec 18-(): 0.0
Root pts/2 Wed Dec 18-(): 0.0
Root pts/1 Wed Dec 18-(): 0.0
Wtmp begins Wed Dec 11 03:02:17 2013
4: The host name or IP address used to log on to the system is not displayed.
[Root @ bkjia ~] # Last-10-R
Root pts/1 Wed Dec 18 still logged in
Root pts/4 Wed Dec 18)
Root pts/1 Wed Dec 18)
Root pts/3 Wed Dec 18)
Root pts/4 Wed Dec 18)
Root pts/3 Wed Dec 18)
Root pts/2 Wed Dec 18 still logged in
Root pts/1 Wed Dec 18)
Root pts/2 Wed Dec 18)
Root pts/1 Wed Dec 18)
Wtmp begins Wed Dec 11 03:02:17 2013
5. Specify the/var/log/btmp file to view the user information of the logon system.
[Root @ bkjia ~] # Last-n 10-f/var/log/btmp
Root ssh: notty 192.168.136.163 Fri Oct 17 18:16 gone-no logout
Root ssh: notty 192.168.136.163 Fri Oct 17)
Root ssh: notty 192.168.136.163 Fri Oct 17)
Root ssh: notty 192.168.40.218 Tue Jul 23-(450 + 16: 10)
Root ssh: notty 192.168.236.149 Sun Apr 14-(100 + 16: 05)
Root ssh: notty 192.168.178.147 Fri Mar 8-(36 + 08: 08)
Tomcat ssh: notty get185806.gfg1. e Fri Oct 26-(133 + 00: 37)
Root ssh: notty 192.168.193.3 Mon Oct 22-(3 + 22: 34)
Root ssh: notty 192.168.193.3 Mon Oct 22)
Devloper ssh: notty get185819.gfg1. e Wed Oct 17-(5 + 00: 50)
Btmp begins Thu Apr 12 14:30:06 2012
6. convert an IP address to a host name.
Last-10-d
Clip_image001
7: displays information before YYYYMMDDHHMMSS (20150110093000 ).
[Root @ bkjia ~] # Last-10-t 20150110093000
Root pts/2 192.168.102.186 Fri Jan 9)
Root pts/2 192.168.102.134 Thu Jan 8)
Root pts/3 192.168.125.53 Tue Jan 6)
Root pts/2 192.168.125.53 Tue Jan 6)
Root pts/3 192.168.102.88 Tue Jan 6)
Root pts/2 192.168.102.88 Tue Jan 6)
Oracle pts/1: 2.0 Tue Jan 6 still logged in
Reboot system boot 2.6.32-200.13.1. Tue Jan 6 :07 (7 + 20: 21)
Root pts/2 192.168.102.88 Tue Jan 6-down)
Oracle pts/1: 2.0 Tue Jan 6-down)
Wtmp begins Wed Apr 11 16:31:10 2012
This article permanently updates the link address: