Linux常用命令-last

命令

last

描述

show listing of last logged in users
显示最近登录的用户记录

用法

1
last [-num | -n num] [-f file] [-t YYYYMMDDHHMMSS] [-R] [-adioxFw] [username..] [tty..]

选项

1
2
3
4
5
6
7
8
9
10
11
Options:
-f 指定登录记录文件,默认为/var/log/wtmp
-n 显示指定行数,可简写如-n5简写为-5
-t 显示指定时间之前的记录,格式为YYYYMMDDHHMMSS
-R 不显示登录者的主机名或IP
-a 将登录者的主机名或IP显示在最后一列
-d 转换登录者的IP为主机名
-F 显示完整的登录和退出时间
-i 显示登录者的IP,等同于-d
-w 显示完整的用户名和域名
-x 显示tty和系统运行级别

注意

lastblast的软链接,两个命令的选项可以通用,last显示所有登录记录,lastb只显示登录失败的记录
last默认读取的是/var/log/wtmp,lastb默认读取的是/var/log/btmp
每次系统重启也会有一条记录,可以通过last reboot命令来查看系统重启时间
另外需要注意wtmp和btmp两个文件格式不同,不能互相读取

示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# lastb是last的软链接,只显示登录失败的记录
$ ll /usr/bin/last*
-rwxr-xr-x. 1 root root 19568 Jun 10 2014 /usr/bin/last
lrwxrwxrwx. 1 root root 4 Nov 27 05:42 /usr/bin/lastb -> last
-rwxr-xr-x. 1 root root 19608 Aug 9 2019 /usr/bin/lastlog
# 最后一行会显示该wtmp文件的创建时间,即记录的起始时间
$ last
root pts/1 192.168.80.1 Sun Feb 28 10:11 still logged in
root pts/0 192.168.80.1 Sun Feb 28 10:11 still logged in
reboot system boot 3.10.0-1160.11.1 Sun Feb 28 10:10 - 10:20 (00:09)
root pts/0 192.168.80.1 Sat Feb 27 09:19 - crash (1+00:51)
root pts/0 192.168.80.1 Fri Feb 26 16:35 - 21:26 (04:50)
reboot system boot 3.10.0-1160.11.1 Fri Feb 26 15:58 - 10:20 (1+18:21)
root pts/1 192.168.80.1 Fri Feb 26 15:51 - down (00:06)
root pts/1 192.168.80.1 Fri Feb 26 15:34 - 15:51 (00:17)
...
usera pts/1 192.168.80.1 Fri Feb 5 21:41 - 21:41 (00:00)
usera pts/1 192.168.80.1 Fri Feb 5 21:40 - 21:41 (00:00)
wtmp begins Fri Nov 27 05:47:49 2020
# -f指定文件,如复制其他主机的wtmp文件到本机查看
# -n5只查看最近的5条记录
$ last -n5 -f wtmp
root pts/1 192.168.80.1 Sun Feb 28 10:11 still logged in
root pts/0 192.168.80.1 Sun Feb 28 10:11 still logged in
reboot system boot 3.10.0-1160.11.1 Sun Feb 28 10:10 - 10:49 (00:38)
root pts/0 192.168.80.1 Sat Feb 27 09:19 - crash (1+00:51)
root pts/0 192.168.80.1 Fri Feb 26 16:35 - 21:26 (04:50)
# -R不显示登录者的主机名或IP
$ last -n5 -R
root pts/1 Sun Feb 28 10:11 still logged in
root pts/0 Sun Feb 28 10:11 still logged in
reboot system boot Sun Feb 28 10:10 - 10:52 (00:41)
root pts/0 Sat Feb 27 09:19 - crash (1+00:51)
root pts/0 Fri Feb 26 16:35 - 21:26 (04:50)
wtmp begins Fri Nov 27 05:47:49 2020
# -a将登录者的主机名或IP显示在最后一列
$ last -n5 -a
root pts/1 Sun Feb 28 10:11 still logged in 192.168.80.1
root pts/0 Sun Feb 28 10:11 still logged in 192.168.80.1
reboot system boot Sun Feb 28 10:10 - 10:52 (00:41) 3.10.0-1160.11.1.el7.x86_64
root pts/0 Sat Feb 27 09:19 - crash (1+00:51) 192.168.80.1
root pts/0 Fri Feb 26 16:35 - 21:26 (04:50) 192.168.80.1
wtmp begins Fri Nov 27 05:47:49 2020
# -t显示指定时间之前的记录,注意时间格式
$ last -n5 -t 20210115080000
root pts/0 192.168.80.1 Mon Jan 11 12:47 - down (00:00)
reboot system boot 3.10.0-1160.11.1 Mon Jan 11 12:46 - 12:47 (00:00)
root pts/0 192.168.80.1 Mon Jan 11 12:39 - down (00:02)
reboot system boot 3.10.0-1160.11.1 Mon Jan 11 12:39 - 12:42 (00:02)
reboot system boot 3.10.0-1160.11.1 Mon Jan 11 12:38 - 12:42 (00:04)
# -F显示完整的登录和退出时间
$ last -n5 -F
root pts/1 192.168.80.1 Sun Feb 28 10:11:13 2021 still logged in
root pts/0 192.168.80.1 Sun Feb 28 10:11:04 2021 still logged in
reboot system boot 3.10.0-1160.11.1 Sun Feb 28 10:10:57 2021 - Sun Feb 28 10:57:16 2021 (00:46)
root pts/0 192.168.80.1 Sat Feb 27 09:19:54 2021 - crash (1+00:51)
root pts/0 192.168.80.1 Fri Feb 26 16:35:42 2021 - Fri Feb 26 21:26:32 2021 (04:50)
# -x显示tty和系统运行级别
root pts/1 192.168.80.1 Sun Feb 28 10:11 still logged in
root pts/0 192.168.80.1 Sun Feb 28 10:11 still logged in
runlevel (to lvl 3) 3.10.0-1160.11.1 Sun Feb 28 10:11 - 10:58 (00:47)
reboot system boot 3.10.0-1160.11.1 Sun Feb 28 10:10 - 10:58 (00:47)
root pts/0 192.168.80.1 Sat Feb 27 09:19 - crash (1+00:51)
...
runlevel (to lvl 3) 3.10.0-1160.11.1 Sat Feb 20 15:11 - 13:55 (4+22:44)
reboot system boot 3.10.0-1160.11.1 Sat Feb 20 15:11 - 15:58 (6+00:46)
shutdown system down 3.10.0-1160.11.1 Fri Feb 19 15:11 - 15:11 (1+00:00)
# 查看指定用户的登录记录
$ last usera
usera pts/1 192.168.80.1 Fri Feb 5 21:41 - 21:41 (00:00)
usera pts/1 192.168.80.1 Fri Feb 5 21:40 - 21:41 (00:00)
# 查看系统重启记录
$ last reboot
reboot system boot 3.10.0-1160.11.1 Sun Feb 28 10:10 - 10:25 (00:14)
reboot system boot 3.10.0-1160.11.1 Fri Feb 26 15:58 - 10:25 (1+18:26)
reboot system boot 3.10.0-1160.11.1 Thu Feb 25 13:55 - 15:58 (1+02:02)
reboot system boot 3.10.0-1160.11.1 Sat Feb 20 15:11 - 15:58 (6+00:46)
# lastb显示登录失败的记录,读取的是/var/log/btmp文件
$ lastb
root ssh:notty 192.168.80.1 Sun Feb 7 20:14 - 20:14 (00:00)
usera ssh:notty 192.168.80.1 Sun Feb 7 20:13 - 20:13 (00:00)
usera ssh:notty 192.168.80.1 Fri Feb 5 21:41 - 21:41 (00:00)
# last和lastb两个命令的选项可以通用
$ lastb -a
root ssh:notty Sun Feb 7 20:14 - 20:14 (00:00) 192.168.80.1
usera ssh:notty Sun Feb 7 20:13 - 20:13 (00:00) 192.168.80.1
usera ssh:notty Fri Feb 5 21:41 - 21:41 (00:00) 192.168.80.1
usera ssh:notty Fri Feb 5 21:40 - 21:40 (00:00) 192.168.80.1
usera ssh:notty Fri Feb 5 21:39 - 21:39 (00:00) 192.168.80.1
# wtmp和btmp的文件格式不同
$ cp /var/log/wtmp /var/log/btmp .
$ file wtmp btmp
wtmp: data
btmp: DBase 3 index file
# 使用last读取btmp文件则显示的记录有误
$ last -f btmp
root ssh:notty 192.168.80.1 Sun Feb 7 20:14 gone - no logout
usera ssh:notty 192.168.80.1 Sun Feb 7 20:13 - 20:14 (00:00)
usera ssh:notty 192.168.80.1 Fri Feb 5 21:41 - 20:13 (1+22:32)
usera ssh:notty 192.168.80.1 Fri Feb 5 21:40 - 21:41 (00:00)
usera ssh:notty 192.168.80.1 Fri Feb 5 21:39 - 21:40 (00:00)
# 正确记录如下
$ lastb -f btmp
root ssh:notty 192.168.80.1 Sun Feb 7 20:14 - 20:14 (00:00)
usera ssh:notty 192.168.80.1 Sun Feb 7 20:13 - 20:13 (00:00)
usera ssh:notty 192.168.80.1 Fri Feb 5 21:41 - 21:41 (00:00)
usera ssh:notty 192.168.80.1 Fri Feb 5 21:40 - 21:40 (00:00)
usera ssh:notty 192.168.80.1 Fri Feb 5 21:39 - 21:39 (00:00)