Linux常用命令-last

发表于 分类于

命令

last

描述

show listing of last logged in users
显示最近登录的用户记录

用法

1
last [-num | -n num] [-f file] [-t YYYYMMDDHHMMSS] [-R] [-adioxFw] [username..] [tty..]

选项

1
2
3
4
5
6
7
8
9
10
11
Options:
  -f  指定登录记录文件,默认为/var/log/wtmp
  -n  显示指定行数,可简写如-n5简写为-5
  -t  显示指定时间之前的记录,格式为YYYYMMDDHHMMSS
  -R  不显示登录者的主机名或IP
  -a  将登录者的主机名或IP显示在最后一列
  -d  转换登录者的IP为主机名
  -F  显示完整的登录和退出时间
  -i  显示登录者的IP,等同于-d
  -w  显示完整的用户名和域名
  -x  显示tty和系统运行级别

注意

lastblast的软链接,两个命令的选项可以通用,last显示所有登录记录,lastb只显示登录失败的记录
last默认读取的是/var/log/wtmp,lastb默认读取的是/var/log/btmp
每次系统重启也会有一条记录,可以通过last reboot命令来查看系统重启时间
另外需要注意wtmp和btmp两个文件格式不同,不能互相读取

示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# lastb是last的软链接,只显示登录失败的记录
$ ll /usr/bin/last*
-rwxr-xr-x. 1 root root 19568 Jun 10  2014 /usr/bin/last
lrwxrwxrwx. 1 root root     4 Nov 27 05:42 /usr/bin/lastb -> last
-rwxr-xr-x. 1 root root 19608 Aug  9  2019 /usr/bin/lastlog
# 最后一行会显示该wtmp文件的创建时间,即记录的起始时间
$ last
root     pts/1        192.168.80.1     Sun Feb 28 10:11   still logged in
root     pts/0        192.168.80.1     Sun Feb 28 10:11   still logged in
reboot   system boot  3.10.0-1160.11.1 Sun Feb 28 10:10 - 10:20  (00:09) 
root     pts/0        192.168.80.1     Sat Feb 27 09:19 - crash (1+00:51)
root     pts/0        192.168.80.1     Fri Feb 26 16:35 - 21:26  (04:50) 
reboot   system boot  3.10.0-1160.11.1 Fri Feb 26 15:58 - 10:20 (1+18:21)
root     pts/1        192.168.80.1     Fri Feb 26 15:51 - down   (00:06) 
root     pts/1        192.168.80.1     Fri Feb 26 15:34 - 15:51  (00:17) 
...
usera    pts/1        192.168.80.1     Fri Feb  5 21:41 - 21:41  (00:00) 
usera    pts/1        192.168.80.1     Fri Feb  5 21:40 - 21:41  (00:00) 
wtmp begins Fri Nov 27 05:47:49 2020
# -f指定文件,如复制其他主机的wtmp文件到本机查看
# -n5只查看最近的5条记录
$ last -n5 -f wtmp
root     pts/1        192.168.80.1     Sun Feb 28 10:11   still logged in
root     pts/0        192.168.80.1     Sun Feb 28 10:11   still logged in
reboot   system boot  3.10.0-1160.11.1 Sun Feb 28 10:10 - 10:49  (00:38) 
root     pts/0        192.168.80.1     Sat Feb 27 09:19 - crash (1+00:51)
root     pts/0        192.168.80.1     Fri Feb 26 16:35 - 21:26  (04:50) 
# -R不显示登录者的主机名或IP
$ last -n5 -R
root     pts/1        Sun Feb 28 10:11   still logged in
root     pts/0        Sun Feb 28 10:11   still logged in
reboot   system boot  Sun Feb 28 10:10 - 10:52  (00:41) 
root     pts/0        Sat Feb 27 09:19 - crash (1+00:51)
root     pts/0        Fri Feb 26 16:35 - 21:26  (04:50) 
wtmp begins Fri Nov 27 05:47:49 2020
# -a将登录者的主机名或IP显示在最后一列
$ last -n5 -a
root     pts/1        Sun Feb 28 10:11   still logged in    192.168.80.1
root     pts/0        Sun Feb 28 10:11   still logged in    192.168.80.1
reboot   system boot  Sun Feb 28 10:10 - 10:52  (00:41)     3.10.0-1160.11.1.el7.x86_64
root     pts/0        Sat Feb 27 09:19 - crash (1+00:51)    192.168.80.1
root     pts/0        Fri Feb 26 16:35 - 21:26  (04:50)     192.168.80.1
wtmp begins Fri Nov 27 05:47:49 2020
# -t显示指定时间之前的记录,注意时间格式
$ last -n5 -t 20210115080000
root     pts/0        192.168.80.1     Mon Jan 11 12:47 - down   (00:00)
reboot   system boot  3.10.0-1160.11.1 Mon Jan 11 12:46 - 12:47  (00:00)
root     pts/0        192.168.80.1     Mon Jan 11 12:39 - down   (00:02)
reboot   system boot  3.10.0-1160.11.1 Mon Jan 11 12:39 - 12:42  (00:02)
reboot   system boot  3.10.0-1160.11.1 Mon Jan 11 12:38 - 12:42  (00:04)
# -F显示完整的登录和退出时间
$ last -n5 -F
root     pts/1        192.168.80.1     Sun Feb 28 10:11:13 2021   still logged in
root     pts/0        192.168.80.1     Sun Feb 28 10:11:04 2021   still logged in
reboot   system boot  3.10.0-1160.11.1 Sun Feb 28 10:10:57 2021 - Sun Feb 28 10:57:16 2021  (00:46)
root     pts/0        192.168.80.1     Sat Feb 27 09:19:54 2021 - crash (1+00:51)
root     pts/0        192.168.80.1     Fri Feb 26 16:35:42 2021 - Fri Feb 26 21:26:32 2021  (04:50)
# -x显示tty和系统运行级别
root     pts/1        192.168.80.1     Sun Feb 28 10:11   still logged in
root     pts/0        192.168.80.1     Sun Feb 28 10:11   still logged in
runlevel (to lvl 3)   3.10.0-1160.11.1 Sun Feb 28 10:11 - 10:58  (00:47) 
reboot   system boot  3.10.0-1160.11.1 Sun Feb 28 10:10 - 10:58  (00:47) 
root     pts/0        192.168.80.1     Sat Feb 27 09:19 - crash (1+00:51)
...
runlevel (to lvl 3)   3.10.0-1160.11.1 Sat Feb 20 15:11 - 13:55 (4+22:44)
reboot   system boot  3.10.0-1160.11.1 Sat Feb 20 15:11 - 15:58 (6+00:46)
shutdown system down  3.10.0-1160.11.1 Fri Feb 19 15:11 - 15:11 (1+00:00)
# 查看指定用户的登录记录
$ last usera
usera    pts/1        192.168.80.1     Fri Feb  5 21:41 - 21:41  (00:00)
usera    pts/1        192.168.80.1     Fri Feb  5 21:40 - 21:41  (00:00)
# 查看系统重启记录
$ last reboot
reboot   system boot  3.10.0-1160.11.1 Sun Feb 28 10:10 - 10:25  (00:14)
reboot   system boot  3.10.0-1160.11.1 Fri Feb 26 15:58 - 10:25 (1+18:26)
reboot   system boot  3.10.0-1160.11.1 Thu Feb 25 13:55 - 15:58 (1+02:02)
reboot   system boot  3.10.0-1160.11.1 Sat Feb 20 15:11 - 15:58 (6+00:46)
# lastb显示登录失败的记录,读取的是/var/log/btmp文件
$ lastb
root     ssh:notty    192.168.80.1     Sun Feb  7 20:14 - 20:14  (00:00)
usera    ssh:notty    192.168.80.1     Sun Feb  7 20:13 - 20:13  (00:00)
usera    ssh:notty    192.168.80.1     Fri Feb  5 21:41 - 21:41  (00:00)
# last和lastb两个命令的选项可以通用
$ lastb -a
root     ssh:notty    Sun Feb  7 20:14 - 20:14  (00:00)     192.168.80.1
usera    ssh:notty    Sun Feb  7 20:13 - 20:13  (00:00)     192.168.80.1
usera    ssh:notty    Fri Feb  5 21:41 - 21:41  (00:00)     192.168.80.1
usera    ssh:notty    Fri Feb  5 21:40 - 21:40  (00:00)     192.168.80.1
usera    ssh:notty    Fri Feb  5 21:39 - 21:39  (00:00)     192.168.80.1
# wtmp和btmp的文件格式不同
$ cp /var/log/wtmp /var/log/btmp .
$ file wtmp btmp
wtmp: data
btmp: DBase 3 index file
# 使用last读取btmp文件则显示的记录有误
$ last -f btmp
root     ssh:notty    192.168.80.1     Sun Feb  7 20:14    gone - no logout
usera    ssh:notty    192.168.80.1     Sun Feb  7 20:13 - 20:14  (00:00) 
usera    ssh:notty    192.168.80.1     Fri Feb  5 21:41 - 20:13 (1+22:32)
usera    ssh:notty    192.168.80.1     Fri Feb  5 21:40 - 21:41  (00:00) 
usera    ssh:notty    192.168.80.1     Fri Feb  5 21:39 - 21:40  (00:00) 
# 正确记录如下
$ lastb -f btmp
root     ssh:notty    192.168.80.1     Sun Feb  7 20:14 - 20:14  (00:00)
usera    ssh:notty    192.168.80.1     Sun Feb  7 20:13 - 20:13  (00:00)
usera    ssh:notty    192.168.80.1     Fri Feb  5 21:41 - 21:41  (00:00)
usera    ssh:notty    192.168.80.1     Fri Feb  5 21:40 - 21:40  (00:00)
usera    ssh:notty    192.168.80.1     Fri Feb  5 21:39 - 21:39  (00:00)