last
Show login history and system reboot records
By CMD Script Team · 3 min read · Last updated
last [OPTIONS] [USERNAME] [TTY]Options
| Flag | Description |
|---|---|
-n | Limit output to N most recent entries, e.g. -n 10 |
reboot | Show a history of system reboots instead of user logins (used as: last reboot) |
-a | Print the hostname in the last column instead of in the middle, for easier reading |
-x | Include system shutdown and runlevel change entries |
-F | Print full login and logout times and dates |
-i | Display IP addresses in numeric dotted form instead of resolving hostnames |
Distribution compatibility
- Ubuntu
- Debian
- Fedora
- Arch
- macOS (BSD last, similar core options)
What it does
last displays a history of user logins and logouts, along with system reboots and
shutdowns, by reading the wtmp log (usually /var/log/wtmp). Each line shows the
username, terminal, source host/IP, login time, and either the logout time, session
duration, or "still logged in" if the session is active. It's the go-to tool for
answering "who logged into this box, and when?"
Beginner examples
last— show the full login/logout history, most recent firstlast -n 10— show only the 10 most recent entrieslast reboot— show a history of system rebootslast <username>— show login history for one specific user
last -n 10
Advanced examples
- Audit reboots after an incident:
last reboot -n 5 - Check logins from a specific terminal/session type:
last pts/0 - Print exact full timestamps instead of abbreviated ones:
last -F - Show numeric IPs instead of resolved hostnames (faster, avoids DNS lookups):
last -i - Combine with
grepto check whether a specific user ever logged in remotely:last shivam | grep -v ":0"
last -F reboot
Common mistakes
- Assuming
last's output is complete forever —/var/log/wtmpis rotated (often monthly vialogrotate), so very old history may no longer be available. - Confusing
last(historical login records) withw/who(currently logged-in users only) —lastincludes users who have already logged out. - Not noticing "still logged in" entries can also appear after an unclean shutdown or crash, not just an active session.
- Forgetting
lastneeds read access to/var/log/wtmp; on some hardened systems this file isn't world-readable, and normal users only see limited or no output.
Tips
- Use
last rebootright after an unexpected outage to see exactly when the system went down and came back up. - Pipe through
heador use-nto avoid scrolling through a huge historical log on long-lived servers. -ispeeds up output and avoids reverse-DNS delays when auditing many remote logins.
Best practices
- Cross-reference
last's output with/var/log/auth.log(Debian/Ubuntu) or/var/log/secure(RHEL/Fedora) during a security investigation —lastalone only shows successful sessions, not failed login attempts. - Rotate and archive
wtmplogs appropriately for compliance needs where login history must be retained longer than the default rotation window. - Don't rely solely on
lastfor security auditing; it reflects what's recorded inwtmp, which can theoretically be tampered with by a root-level attacker.
Try it yourself
A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.
Real-world use cases
- Investigating unauthorized or suspicious access by reviewing who logged in and from where.
- Confirming exactly when a server rebooted after a kernel update or crash.
- Auditing shared server usage to see which team members have been logging in.
- Verifying that a maintenance window's reboot actually happened on schedule.
Common interview questions
- Where does
lastpull its information from? Thewtmpbinary log file, typically/var/log/wtmp. - How is
lastdifferent fromwhoandw?whoandwshow currently logged-in users;lastshows historical login/logout records, including users who've already logged out and past reboots. - How would you find out when a server last rebooted?
last reboot, which lists reboot events recorded inwtmp, most recent first.
Frequently Asked Questions
Where does last get its data from?
It reads the binary login/logout history log, typically /var/log/wtmp, which is updated by login-related programs each time a user logs in or out, or the system boots/shuts down.
How do I see just the last few reboots?
Run last reboot, which filters wtmp entries down to system boot events; add -n, e.g. last reboot -n 5, to limit how many are shown.
What does it mean when an entry says 'still logged in'?
It means the session hasn't recorded a logout yet — the user (or an unclean disconnect) hasn't closed that session in wtmp, which can also happen after an unclean shutdown.
Cheat sheet
Download a quick-reference cheat sheet for last.