How to parse the Linux last command to display specific logins

Your data center servers are constantly being logged into. Here's how you how you can find who's trying to get in, at least on your Linux machines.

Image: Jack Wallen

Chances are, your data center makes use of Linux machines. That being the case, you're going to want to know how to keep tabs on those servers. Once such area you might want to regularly check is who has logged into a server and when they logged in. Fortunately, there's a built-in command to take care of that very task. The command is last and I'm going to show you how to make use of it so you can better understand who has logged into your machine and when.

The command

Simply put, the last command displays a listing of the last users logged into a system. Users also includes reboot, so it's really easy to use this same command to find out when a system was rebooted.

Last works with wtmp to retrieve login attempts recorded in the utmp file. Together this makes for an easy to use system to keep tabs on the historical data of who is (and has been) logged into a Linux machine.

The basic command last will display every login attempt since wtmp started recording (Figure A).

Figure A


Created with GIMP

Image: Jack Wallen

Of course, you don't want to have to scroll through that massive amount of output. To that end, last offers a few options to make parsing the output a bit easier. Last understands the following arguments:

  • YYYYMMDDhhmmss
  • YYYY-MM-DD hh:mm:ss
  • YYYY-MM-DD hh:mm
  • hh:mm:ss
  • Hh:mm
  • yesterday
  • now
  • today
  • tomorrow
  • +Xmin (Where X is a positive number)
  • -Xdays (Where X is a positive number)
  • -p - display the users who were present at the specific time
  • -s - display the state of logins since the specified time
  • -t - display the state of logins until the specified time


Taking the above arguments, you could find out who logged in on a specific date like so:

last -p 2017-08-10

The output of that command would show you who (if anyone) logged in on August 10, 2017 (Figure B).

Figure B

Figure B

Both jlwallen and reboot were present that day.

If you want to examine a range of time, that's possible as well, using the -s and -t options like so:

last -s -20days -t -10days

The output of the above command will show us who had logged in from a range of 20 days ago up until 10 days ago (Figure C). In this case (running the command on August 29) that range of time would be August 9 through August 19.

Figure C

Figure C

Logins from localhost and two other IP addresses are shown.

What if you want to find out who logged in from yesterday up until an hour ago (from the present time)? That's possible with the command:

last -s yesterday -t -60min

The output from the above command (Figure D) should be significantly smaller than our previous command.

Figure D

Figure D

Only one login attempt, by user jlwallen.

And that's pretty much how the last command works.

Keep it curious

If you're curious about who is logging into your servers (and you should be), last is an easy means of sating that curiosity on Linux. For more information about last, make sure to read through the man page with the command man last.

Also see

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic, The New Stack, and Linux New Media. He's covered a variety of topics for over twenty years and is an avid promoter of open source. For more news about Jack Wallen, visit his website jackwallen....