Understanding the Last Command for Linux/Unix

Show user-login histories and system reboot timestamps

Mixed race boy looking through binoculars
JGI/Tom Grill / Getty Images

The last command searches the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in and out since that file was created.

How It Works

When last catches a SIGINT signal (generated by the interrupt key, usually Ctrl+C) or a SIGQUITsignal (generated by the quit key, usually Ctrl+\), last shows how far it searched through the file; in the case of the SIGINT signal, last will then terminate.

The pseudo-user reboot logs in each time the system is rebooted. Thus last reboot shows a log of all reboots since the log file was created.

lastb command

The lastb command is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts. It requires elevated privileges to execute, unlike last. If the system records no bad login attempts, it'll return the start date of the btmp file only.


The command requires the following general form:

last [-R] [-num] [ -n num ] [-adiox] [ -f file ] [ -t YYYYMMDDHHMMSS ] [name...] [tty...] lastb [-R] [-num] [ -n num ] [ -f file ] [ -t YYYYMMDDHHMMSS ] [-adiox] [name...] [tty...] 


Modify the command's behavior with switches:

  • -n, -num: This is a count telling last how many lines to show.
  • -t YYYYMMDDHHMMSS: Display the state of logins as of the specified time. This is useful, e.g., to determine easily who was logged in at a particular time—specify that time with -t and look for still logged in.
  • -R: Suppresses the display of the hostname field.
  • -a: Display the hostname in the last column. Useful in combination with the next flag.
  • -d: For non-local logins, Linux stores not only the host name of the remote host but its IP number as well. This option translates the IP number back into a hostname.
  • -i: This option is like -d in that it displays the IP number of the remote host, but it displays the IP number in dotted-quad notation.
  • -o: Read an old-type wtmp file (written by linux-libc5 applications).
  • -x: Display the system shutdown entries and run level changes.

Use the man command (% man) to see how a command is used on your particular computer.