Shulou(Shulou.com)06/01 Report--

This article mainly explains "Linux uses the built-in tracing tool last command method", the explanation content in the article is simple and clear, easy to learn and understand, please follow the idea of Xiaobian slowly in-depth, together to study and learn "Linux uses the built-in tracing tool last command method"!

What is the function of the last command?

Last shows all logins (and logouts) since the/var/log/wtmp file was created. This file is a binary file that cannot be viewed by text editors such as vi, Joe, or other software. This is useful because users (or root) cannot modify the file as they wish.

last gives the username, tty, IP address (if the user is remotely connected), date-time, and time the user has logged in for all logged in users.

How to run last

You just type last in the console. Here's an example:

$ last

leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 （00:53）

pungki tty1 Mon Dec 2 09:31 still logged in

reboot system boot 2.6.32-358.23.2 Mon Dec 2 09:20 - 13:25 （04:05）

Here's how to read the last message:

The first column tells you who the user is.

The second column gives information about how users connect

pts/0 (pseudoterminal) means a user connecting from a remote location such as SSH or telnet

tty (teletypewriter) means a user connected directly to a computer or locally

All status except restart activity will be displayed at startup

The third column shows where the user is from. If the user is from a remote computer, you will see a hostname or IP address. If you see: 0.0 or nothing, this means that the user is connected through a local terminal. In addition to reboot activity, kernel versions are displayed in status.

The remaining columns show when log activity occurs. The numbers in parentheses tell us how many hours and minutes the connection lasted.

Some examples of last in daily operations

Limit the number of display rows

When you have a lot of rows to display, you can limit the number of rows you want to see. Use the-n parameter to do this.

$ last -n 3

leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 （00:53）

pungki tty1 Mon Dec 2 09:31 still logged in

reboot system boot 2.6.32-358.23.2 Mon Dec 2 09:20 - 13:25 （04:05）

The-n argument causes last to display 3 records from the current time to the future.

Do not display host names

Use the-R parameter to do this. Here are some examples:

$ last -R

leni pts/0 Mon Dec 2 12:32 - 13:25 （00:53）

pungki tty1 Mon Dec 2 09:31 still logged in

reboot system boot Mon Dec 2 09:20 - 13:25 （04:05）

As you can see, there is no information about hosts or IP addresses anymore.

The last column shows the host name

To do this, we use the-a parameter

$ last -a

leni pts/0 Mon Dec 2 12:32 - 13:25 （00:53） 10.0.76.162

pungki tty1 Mon Dec 2 09:31 still logged in ：0.0

reboot system boot Mon Dec 2 09:20 - 13:25 （04:05） 2.6.32-358.23.2.el6.i686

Host information such as 10.0.76.162 is now placed in the last column.

Show full login logout time date

For this, you can use the-F parameter. Here's an example:

$ last -F

leni pts/0 10.0.76.162 Mon Dec 2 12:32:24 2013 – Mon Dec 2013 13:25:24 2013 （00:53）

Print specific user names

If you want to track a particular user, you can print it specifically. Enter the username after the last command.

$ last leni

leni tty1 Mon Dec 2 18-42 still logged in

leni pts/0 Mon Dec 2 12:32 - 13:25 （00:53） 10.0.76.162

Or if you want to know when reboot is complete, you can display it like this:

$ last reboot

reboot system boot Mon Dec 2 09:20 - 16:55 （07:34）

reboot system boot Sun Dec 1 04:26 - 04:27 （00:01）

reboot system boot Wed Nov 27 20:27 - 01:24 （04:57）

reboot system boot Tue Nov 26 21:06 - 06:13 （09:06）

Print specific/ pts

last can also print information for specific tty/pts. Just type tty name or pty name after last command.

Here are some examples:

$ last tty1

pungki tty1 Mon Dec 2 09:31 still logged in

pungki tty1 Mon Dec 2 04:26 – down （00:00）

pungki tty1 Mon Dec 2 04:07 – down （00:00）

pungki tty1 Sun Dec 1 18:55 – 04:07 （09:12）

$ last pts/0

leni pts/0 10.0.76.162 Mon Dec 2 12:32 - 13:25 （00:53）

pungki pts/0 ：0.0 Wed Nov 27 20:28 – down （04:56）

When you see a value for down-like the second line above-it means that the user logged in at some point until the system was restarted or shut down.

Use another file instead of/var/log/wtmp

By default, the last command parses information from/var/log/wtmp. If you want the last command to parse from another file, you can use the-f argument. For example, when the log is cut, let's assume that after the cut, the previous file name becomes/var/log/wtmp.1. Then the last command would look like this.

$ last -f /var/log/wtmp.1

Display Run Level Change

There's a-x parameter to indicate the runlevel. Here is an example output:

pungki tty1 Mon Dec 2 19:21 still logged in

runlevel （to lvl 3） 2.6.32-358.23.2 Mon Dec 2 19:20 – 19:29 （00:08）

reboot system boot 2.6.32-358.23.2 Mon Dec 2 19:20 – 19:29 （00:08）

shutdown system down 2.6.32-358.23.2 Mon Dec 2 18:56 – 19:20 （00:23）

runlevel （to lvl 0） 2.6.32-358.23.2 Mon Dec 2 18:56 – 18:56 （00:00）

leni tty1 Mon Dec 2 18:42 – down （00:00）

You can see there are two levels of operation here. An entry for run level to lvl 3 means that the system is running in full console mode, not in the X window or GUI. Also, when the system shuts down, it is actually switching to runlevel 0, which is why last shows to lvl 0.

View failed login

The last command logs successful logins, while the lastb command logs failed login attempts. You must have root privileges to run lastb. Here is an example output of the lastb command. Lastb parses information from/var/log/btmp.

# lastb

leni tty1 Mon Dec 2 22:12 – 22:12 （00:00）

rahma tty1 Mon Dec 2 22:11 – 22:11 （00:00）

cutting log

Because/var/log/wtmp records every login activity, the file size can grow rapidly. By default, Linux cuts/var/log/wtmp/monthly. The cutting policy is placed in the/etc/logrotate.conf file. Here are the contents of my/etc/logrotate.conf* file.

/var/log/wtmp {

monthly

create 0664 root umtp

minsize 1M

rotate 1

}

For/var/log/btmp, this is the default switch activity configuration

/var/log/btmp {

missingok

monthly

create 0600 root umtp

minsize 1M

rotate 1

}

You can modify it yourself as needed.

Thank you for reading, the above is the "Linux use built-in tracking tool last command method" content, after learning this article, I believe that everyone on Linux use built-in tracking tool last command method this problem has a deeper understanding, the specific use of the need for everyone to practice verification. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.