Back to Commands

lastlog

securityLinux/Unix
The lastlog command is one of the most frequently used commands in Linux/Unix-like operating systems. lastlog Display information about the most recent login of all users
See ExamplesView Syntax

Quick Reference

Command Name:

lastlog

Category:

security

Platform:

Linux/Unix

Basic Usage:

lastlog [options] [arguments]

Common Use Cases

    Syntax

    lastlog [options]

    Options

    Option Description
    -b, --before DAYS Show users who haven't logged in for DAYS
    -C, --clear Clear the lastlog record of a user (requires -u)
    -h, --help Display help message
    -R, --root CHROOT_DIR Apply changes in the specified chroot directory
    -S, --set Set lastlog record to current time (requires -u)
    -t, --time DAYS Show only entries more recent than DAYS
    -u, --user LOGIN|RANGE Show lastlog record for specific user(s) or range of users
    --time-format FORMAT Display timestamps using the specified format
    -r, --reverse Display records in reverse order

    Examples

    How to Use These Examples

    The examples below show common ways to use the lastlog command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

    # Basic Examples Basic
    lastlog
    Display the most recent login time for all users.
    lastlog -u john
    Display the most recent login for user 'john'.
    # Advanced Examples Advanced
    lastlog -t 7 Show users who have logged in within the last 7 days. lastlog -b 30 Show users who haven't logged in for the last 30 days. lastlog -u 1000 -u 1001 -u 1002 Show login information for specific user IDs. lastlog -r Display records in reverse order. lastlog > lastlog_report.txt Save the output to a file for reporting. lastlog | grep "Never" Find users who have never logged in.

    Try It Yourself

    Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

    Understanding Syntax

    Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

    Notes

    The 'lastlog' command provides a system administrator with a complete picture of when each user account on the system was last used. Unlike 'last', which shows a historical record of all logins, 'lastlog' focuses specifically on showing the most recent login information for each user account. Key features of the lastlog command: 1. Account Activity Monitoring: lastlog helps identify which accounts are active and which ones haven't been used for an extended period, which is valuable for security auditing and user account management. 2. Dormant Account Detection: By showing accounts that have never logged in or haven't been used recently, lastlog assists in identifying unused accounts that might be candidates for review or removal. 3. Security Auditing: Regular review of lastlog output can help detect unusual login patterns or unexpected account usage that might indicate a security issue. 4. Time Filtering: With options like -t (recent logins) and -b (no login since), administrators can focus on specific timeframes when reviewing account activity. 5. User Management: The ability to filter by specific users or user ID ranges makes it easy to check login status for particular groups of accounts. 6. Account Maintenance: Administrative options like -C (clear) and -S (set) allow for maintaining the lastlog database when performing account management tasks. 7. Reporting Capabilities: lastlog output can easily be redirected to files or piped to other commands for further processing or inclusion in system reports. Common use cases for the lastlog command include: - Regular security audits to identify unused accounts - Compliance verification requiring documentation of account usage - User account cleanup procedures - Detecting potentially compromised accounts through unusual login patterns - New user onboarding verification - System migration planning by identifying active vs. inactive accounts - Historical documentation of account usage patterns The lastlog command reads its information from the /var/log/lastlog file, which stores the most recent login time, terminal, and host for each user ID on the system. This file is automatically updated by the login process whenever users authenticate to the system. System administrators should incorporate regular reviews of lastlog output into their security and account management procedures, as maintaining good account hygiene by disabling or removing unused accounts is an important aspect of system security.

    Related Commands

    These commands are frequently used alongside lastlog or serve similar purposes:

    last
    lastb
    who
    w
    finger
    id
    users
    passwd
    userdel
    faillog
    Explore All Commands

    Use Cases

    Learn By Doing

    The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the lastlog command works in different scenarios.

    See ExamplesTry Lab Exercises
    $ lastlog
    View All Commands