Skip to main content
LPIC-1 Exam 102

Auditing Logins with last

By September 20, 2015September 12th, 2022No Comments

Auditing Logins with lastLPIC-1 Objective 110-1 Auditing logins with last

In this module we take a look at the command /usr/bin/last and how we use it to audit user logins and system runlevel changes. The command last read from the data file /var/log/wtmp by default. This database has all of the login and logout details and runlevel changes for our system. In this way we can see that auditing logins with last is a simple procedure.

Basic usage

Just using the command last on its own without arguments or options will print detail from the file /var/log/wtmp. As to how far back it shows the login details will be down to how often the file is rotated. On my system it is rotated monthly so the current file will show me logins from the 1st September, I am writing this in September.

$ last

We can see from the final line of output when the file was started.

wtemp-lastIf we want to read from a previous file we can use the option -f and the path through to the file

$ last -f /var/log/wtmp.1

On my system this will show August’s logins

Show Reboots

To see reboots on the system and how long the system has been up we can use the following command:

$ last reboot

There is a pseudo user called reboot and we can see when the system has been rebooted, it at all. In the following screenshot we can see that the system has been up for 7 days and 17 hours with the last reboot being on September 12th:

last-rebootWe can display this also with last -x. Using last pi would show login details just for the user pi.

The following video steps you through a demonstration: