Linux的 last 命令

Linux 之 last 登陆信息

Linux last 命令用于显示用户最近的登录信息。

官方定义为：

last, lastb - show listing of last logged in users

通过读取/var/log/wtmp文件来获取这些信息。

语法

$ last [-R] [-num] [ -n num ] [-adFiowx] [ -f file ] [ -t YYYYMMDDHHMMSS] [name...]  [tty...]

参数：

• -R 省略 hostname 的栏位

• -n 展示前 num 个

• username 展示 username 的登入讯息

• tty 限制登入讯息包含终端机代号

一般使用方法

$ last
username2  pts/17       192.168.100.123  Wed Mar 23 22:14   still logged in
username3  pts/20       localhost:11.0   Wed Mar 23 14:26 - 15:48  (01:21)
username4  pts/23       localhost:11.0   Wed Mar 23 14:26 - 15:48  (01:21)
username4  pts/4        192.168.100.125    Thu Jun 10 18:37 - 22:57  (04:20)
username5  pts/4        192.168.100.125    Thu Jun 10 18:21 - 18:21  (00:00)
username6  pts/9        192.168.100.126    Thu Jun 10 18:11 - 18:20  (00:09)
username7  pts/15       192.168.100.122    Thu Jun 10 18:04 - 23:44 (1+05:40)
username8  pts/14       192.168.100.121    Thu Jun 10 17:59 - 07:50  (13:50)
username9  pts/9        192.168.100.126    Thu Jun 10 17:59 - 18:03  (00:04)

wtmp begins Thu Jun 10 17:33:14 2013

查看最近登陆的三个用户

$ last -3

username2  pts/17       192.168.100.123  Wed Mar 23 22:14   still logged in
username3  pts/20       localhost:11.0   Wed Mar 23 14:26 - 15:48  (01:21)
username4  pts/23       localhost:11.0   Wed Mar 23 14:26 - 15:48  (01:21)

wtmp begins Thu Jun 10 17:33:14 2013

省略hostname

$ last -3 -R
username2  pts/17         Wed Mar 23 22:14   still logged in
username3  pts/20         Wed Mar 23 14:26 - 15:48  (01:21)
username4  pts/23         Wed Mar 23 14:26 - 15:48  (01:21)

wtmp begins Thu Jun 10 17:33:14 2013

显示最后一列显示主机IP地址

$ last -n 5 -a -i
username3  pts/17       Wed Mar 23 22:14   still logged in    192.168.100.123
username5  pts/20       Wed Mar 23 14:26 - 15:48  (01:21)     0.0.0.0
username6  pts/23       Wed Mar 23 14:26 - 15:48  (01:21)     0.0.0.0
username7  pts/19       Wed Mar 23 13:46 - 15:48  (02:01)     192.168.100.123
username8  pts/17       Wed Mar 23 13:18 - 15:47  (02:29)     192.168.100.123

wtmp begins Thu Jun 10 17:33:14 2013

​ Last searches back through the file /var/log/wtmp (or the file desig‐
​ nated by the -f flag) and displays a list of all users logged in (and
​ out) since that file was created. Names of users and tty’s can be
​ given, in which case last will show only those entries matching the
​ arguments. Names of ttys can be abbreviated, thus last 0 is the same
​ as last tty0.

When last catches a SIGINT signal (generated by the interrupt key, usu‐
ally control-C) or a SIGQUIT signal (generated by the quit key, usually
control-), last will show how far it has searched through the file; in
the case of the SIGINT signal last will then terminate.

   The pseudo user reboot logs in each time the system is rebooted.   Thus
   last  reboot will show a log of all reboots since the log file was cre‐
   ated.

   Lastb is the same as last, except that by default it shows a log of the
   file /var/log/btmp, which contains all the bad login attempts.

OPTIONS
-f file
Tells last to use a specific file instead of /var/log/wtmp.

   -num   This is a count telling last how many lines to show.

   -n num The same.

   -t YYYYMMDDHHMMSS
          Display  the  state of logins as of the specified time.  This is
          useful, e.g., to determine easily who was logged in at a partic‐
          ular  time  --  specify  that  time  with -t and look for "still
          logged in".

   -f file
          Specifies a file to search other than /var/log/wtmp.

   -R     Suppresses the display of the hostname field.

   -a     Display the hostname in the last column. Useful  in  combination           with the next flag.

   -d     For non-local logins, Linux stores not only the host name of the
          remote host but its IP number as well.  This  option  translates
          the IP number back into a hostname.

   -F     Print full login and logout times and dates.

   -i     This  option is like -d in that it displays the IP number of the
          remote host, but it displays the IP number  in  numbers-and-dots
          notation.

   -o     Read  an  old-type  wtmp  file  (written by linux-libc5 applica‐
          tions).

   -w     Display full user and domain names in the output.

   -x     Display the system shutdown entries and run level changes.

NOTES
The files wtmp and btmp might not be found. The system only logs infor‐
mation in these files if they are present. This is a local configura‐
tion issue. If you want the files to be used, they can be created with
a simple touch(1) command (for example, touch /var/log/wtmp).

FILES
/var/log/wtmp
/var/log/btmp

AUTHOR
Miquel van Smoorenburg, miquels@cistron.nl

SEE ALSO
login(1), init(8)