1. Overview

The lastlog command displays recent login information for all users or a specified user across text-based terminal sessions on the system. Using this command, we can retrieve a user’s login name, port, and last login time. Further, this is particularly useful for identifying inactive accounts or monitoring login activities.

In this article, we’ll explore the lastlog command, its basic usage, common options, and provide examples to show how it functions.

2. Common lastlog Options

The basic syntax and structure for the lastlog command are:

$ lastlog [options]

lastlog: the command name
[options]: represents arguments that can modify the behavior of the lastlog command

Now, let’s explore the common options available with the lastlog command:

Options

Description

-t

prints lastlog records more recent than specified days

-u

prints lastlog record for a specified user login

-C

clears lastlog record of a user

-S

sets lastlog record to current time

-b

prints only lastlog records older specified days

Basically, these options enable us to use lastlog in performing various user login management and system monitoring tasks.

3. Common lastlog Examples

Generally, understanding how to use the lastlog command is crucial in administration as it enables easy monitoring, account management, compliance, and auditing. Therefore, let’s explore practical examples of using this command with various options.

3.1. Display the Last Login Information for All Users

Running the lastlog command without any options displays the last login information for all users on the system. This includes the login name, port, and last login time.

For example, let’s show how to use the basic lastlog command:

$ lastlog 
Username         Port     From                                       Latest
...
kali             tty6                                               Thu Jun 13 18:49:33 -0400 2024
nancy            tty6                                               Thu Jun 13 19:06:38 -0400 2024
...
                                                                                                                                                                                                                                           

Evidently, from this example, we can see that the output of the lastlog command consists of four columns. Let’s understand what they mean:

  • Username: the username of the account
  • Port: the terminal used for the login
  • From: the hostname or IP address from where the login was made
  • Latest: the date and time of the last login

The displayed results show the login name, date, and time of the last login for each user.

3.2. Displaying Last Login Information for a Specific User

More so, displaying the last login information for a specific user is possible with the lastlog command. We can achieve this by applying the -u option to the username we want to check.

For example, let’s show how to view the last login information for a specific user:

$ lastlog -u nancy
Username         Port     From                                       Latest
nancy            tty6                                               Thu Jun 13 19:06:38 -0400 2024

From this example, we can see that the user nancy last logged in on Thu Jun 13 19:06:38 -0400 2024.

3.3. Displaying lastlog Records More Recent Than Specified Days

Additionally, in scenarios where we need to specifically view login information for users who have recently accessed our system within a defined timeframe, the lastlog command is useful. By applying the -t option and the desired number of days, we can efficiently retrieve these login details.

For example, let’s see how it works:

$ lastlog -t 3
Username         Port     From                                       Latest
kali             tty6                                               Thu Jun 13 18:49:33 -0400 2024
nancy            tty6                                               Thu Jun 13 19:06:38 -0400 2024

This command displays lastlog records for users who have logged in within the last 3 days.

3.4. Displaying lastlog Records Older than Specified Days

Alternatively, we can decide to print only lastlog records for users who have not logged in for a specific number of days. To do this, we apply the -b option, then the number of days we’re interested in:

$ lastlog -b 10
Username         Port     From                                       Latest
root                                                                **Never logged in**
daemon                                                              **Never logged in**
bin                                                                 **Never logged in**
sys                                                                 **Never logged in**
sync                                                                **Never logged in**
games                                                               **Never logged in**
man                                                                 **Never logged in**
lp                                                                  **Never logged in**
...

Clearly, this command displays lastlog records for users who have not logged in for more than 10 days.

3.5. Clearing lastlog Records of a User

The -C option in the lastlog command enables us to specifically clear the lastlog record of a particular user. However, to accomplish this, it’s essential to use this option together with the -u option, specifying the username whose record we intend to reset.

For example, let’s show how to clear a user’s lastlog records:

$ sudo lastlog -u nancy -C

This command clears the lastlog record for the user nancy. In addition, it is crucial to note that the sudo command is used to complete this process because the login records were located in /var/log/lastlog directory, a sensitive file that requires root privileges.

3.6. Setting lastlog Records to Current Time

Among the lastlog command options is -S, which allows administrators to set the last login record of a specific user to the current time. Through this functionality, we can ensure that user’s login information reflects the most recent activity on the system and enhance tracking and monitoring processes.

Let’s show how to set lastlog record to the current time:

$ sudo lastlog -u kali -S 

After running this command, it updates the lastlog record for the user to the current login time.

4. Conclusion

In this article, we covered several ways to use the lastlog command and its options. We also learned how to use it to monitor, control, and oversee Linux system login activity.

By mastering the lastlog command, administrators can improve their system security by promptly detecting unauthorized access attempts, ensuring compliance, and maintaining detailed records.