>_cmd.script

last

Show login history and system reboot records

System

By CMD Script Team · 3 min read · Last updated

SYNTAX
last [OPTIONS] [USERNAME] [TTY]

Options

Command options and flags
FlagDescription
-nLimit output to N most recent entries, e.g. -n 10
rebootShow a history of system reboots instead of user logins (used as: last reboot)
-aPrint the hostname in the last column instead of in the middle, for easier reading
-xInclude system shutdown and runlevel change entries
-FPrint full login and logout times and dates
-iDisplay IP addresses in numeric dotted form instead of resolving hostnames

Distribution compatibility

  • Ubuntu
  • Debian
  • Fedora
  • Arch
  • macOS (BSD last, similar core options)

What it does

last displays a history of user logins and logouts, along with system reboots and shutdowns, by reading the wtmp log (usually /var/log/wtmp). Each line shows the username, terminal, source host/IP, login time, and either the logout time, session duration, or "still logged in" if the session is active. It's the go-to tool for answering "who logged into this box, and when?"

Beginner examples

  • last — show the full login/logout history, most recent first
  • last -n 10 — show only the 10 most recent entries
  • last reboot — show a history of system reboots
  • last <username> — show login history for one specific user
last -n 10

Advanced examples

  • Audit reboots after an incident: last reboot -n 5
  • Check logins from a specific terminal/session type: last pts/0
  • Print exact full timestamps instead of abbreviated ones: last -F
  • Show numeric IPs instead of resolved hostnames (faster, avoids DNS lookups): last -i
  • Combine with grep to check whether a specific user ever logged in remotely: last shivam | grep -v ":0"
last -F reboot

Common mistakes

  • Assuming last's output is complete forever — /var/log/wtmp is rotated (often monthly via logrotate), so very old history may no longer be available.
  • Confusing last (historical login records) with w/who (currently logged-in users only) — last includes users who have already logged out.
  • Not noticing "still logged in" entries can also appear after an unclean shutdown or crash, not just an active session.
  • Forgetting last needs read access to /var/log/wtmp; on some hardened systems this file isn't world-readable, and normal users only see limited or no output.

Tips

  • Use last reboot right after an unexpected outage to see exactly when the system went down and came back up.
  • Pipe through head or use -n to avoid scrolling through a huge historical log on long-lived servers.
  • -i speeds up output and avoids reverse-DNS delays when auditing many remote logins.

Best practices

  • Cross-reference last's output with /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/Fedora) during a security investigation — last alone only shows successful sessions, not failed login attempts.
  • Rotate and archive wtmp logs appropriately for compliance needs where login history must be retained longer than the default rotation window.
  • Don't rely solely on last for security auditing; it reflects what's recorded in wtmp, which can theoretically be tampered with by a root-level attacker.

Try it yourself

A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.

Real-world use cases

  • Investigating unauthorized or suspicious access by reviewing who logged in and from where.
  • Confirming exactly when a server rebooted after a kernel update or crash.
  • Auditing shared server usage to see which team members have been logging in.
  • Verifying that a maintenance window's reboot actually happened on schedule.

Common interview questions

  • Where does last pull its information from? The wtmp binary log file, typically /var/log/wtmp.
  • How is last different from who and w? who and w show currently logged-in users; last shows historical login/logout records, including users who've already logged out and past reboots.
  • How would you find out when a server last rebooted? last reboot, which lists reboot events recorded in wtmp, most recent first.

Frequently Asked Questions

Where does last get its data from?

It reads the binary login/logout history log, typically /var/log/wtmp, which is updated by login-related programs each time a user logs in or out, or the system boots/shuts down.

How do I see just the last few reboots?

Run last reboot, which filters wtmp entries down to system boot events; add -n, e.g. last reboot -n 5, to limit how many are shown.

What does it mean when an entry says 'still logged in'?

It means the session hasn't recorded a logout yet — the user (or an unclean disconnect) hasn't closed that session in wtmp, which can also happen after an unclean shutdown.

Cheat sheet

Download a quick-reference cheat sheet for last.