LPIC-1 Objective 110-1 Auditing logins with last
In this module we take a look at the command /usr/bin/last and how we use it to audit user logins and system runlevel changes. The command last read from the data file /var/log/wtmp by default. This database has all of the login and logout details and runlevel changes for our system. In this way we can see that auditing logins with last is a simple procedure.
Just using the command last on its own without arguments or options will print detail from the file /var/log/wtmp. As to how far back it shows the login details will be down to how often the file is rotated. On my system it is rotated monthly so the current file will show me logins from the 1st September, I am writing this in September.
We can see from the final line of output when the file was started.
If we want to read from a previous file we can use the option -f and the path through to the file
$ last -f /var/log/wtmp.1
On my system this will show August’s logins
To see reboots on the system and how long the system has been up we can use the following command:
$ last reboot
There is a pseudo user called reboot and we can see when the system has been rebooted, it at all. In the following screenshot we can see that the system has been up for 7 days and 17 hours with the last reboot being on September 12th:
We can display this also with last -x. Using last pi would show login details just for the user pi.
The following video steps you through a demonstration: