In this module we take a look at the command /usr/bin/last and how we use it to audit user logins and system runlevel changes. The command last read from the data file /var/log/wtmp by default. This database has all of the login and logout details and runlevel changes for our system. In this way we can see that auditing logins with last is a simple procedure.
Just using the command last on its own without arguments or options will print detail from the file /var/log/wtmp. As to how far back it shows the login details will be down to how often the file is rotated. On my system it is rotated monthly so the current file will show me logins from the 1st September, I am writing this in September.
We can see from the final line of output when the file was started.
$ last -f /var/log/wtmp.1
On my system this will show August’s logins
To see reboots on the system and how long the system has been up we can use the following command:
$ last reboot
There is a pseudo user called reboot and we can see when the system has been rebooted, it at all. In the following screenshot we can see that the system has been up for 7 days and 17 hours with the last reboot being on September 12th:
The following video steps you through a demonstration: