回到手册索引

命令用途

last 命令用于显示 Linux 系统中用户登录、重启和关机的历史记录。它通过读取 /var/log/wtmp 文件来追踪系统访问活动,帮助管理员审计系统使用情况。

常用用法示例

  1. 显示最近的登录记录(默认输出)

    1
    2
    3
    4
    last
    username  pts/0        192.168.1.5     Mon Jul  1 10:23   still logged in  
    root      tty1                          Mon Jul  1 09:15 - 09:20  (00:05)  
    reboot    system boot  5.4.0-91-generic Mon Jul  1 09:14   still running

    显示所有用户的登录、重启和关机记录,按时间倒序排列。

  2. 仅显示最近的 5 条记录

    1
    2
    3
    4
    5
    6
    last -n 5
    username  pts/2        192.168.1.5     Mon Jul  1 11:30 - 11:45  (00:15)  
    root      tty1                          Mon Jul  1 11:20 - down   (00:03)  
    reboot    system boot  5.4.0-91-generic Mon Jul  1 11:19 - 11:23  (00:04)  
    shutdown  system down  5.4.0-91-generic Mon Jul  1 11:18 - 11:19  (00:00)  
    username  pts/1        192.168.1.5     Mon Jul  1 10:50 - 11:00  (00:10)

    通过 -n 5 限制仅显示最近的 5 条记录。

  3. 显示特定用户的登录记录

    1
    2
    3
    last username
    username  pts/0        192.168.1.5     Mon Jul  1 10:23 - 10:50  (00:27)  
    username  pts/1        192.168.1.5     Mon Jul  1 09:30 - 09:45  (00:15)

    仅显示用户 username 的登录历史。

  4. 显示系统的关机和重启记录

    1
    2
    3
    4
    last -x shutdown reboot
    reboot    system boot  5.4.0-91-generic Mon Jul  1 11:19 - 11:23  (00:04)  
    shutdown  system down  5.4.0-91-generic Mon Jul  1 11:18 - 11:19  (00:00)  
    reboot    system boot  5.4.0-91-generic Mon Jul  1 09:14 - 11:18  (02:04)

    -x 参数指定显示系统事件(如 shutdown 和 reboot)。

  5. 显示完整的时间格式

    1
    2
    last -F
    username  pts/0        192.168.1.5     Mon Jul  1 10:23:30 - 10:50:15  (00:26:45)

    -F 参数显示完整的日期和时间(包括秒)。

  6. 显示登录记录的 IP 地址而非主机名

    1
    2
    last -a
    username  pts/0        192.168.1.5     Mon Jul  1 10:23   still logged in

    -a 参数将主机名解析为 IP 地址并显示在最后一列。

  7. 显示特定时间前的记录

    1
    2
    last -t 20240701100000
    username  pts/1        192.168.1.5     Mon Jul  1 09:30 - 09:45  (00:15)

    -t YYYYMMDDHHMMSS 仅显示指定时间之前的记录。

  8. 持续监视登录活动

    1
    2
    last -f /var/log/wtmp -F
    username  pts/2        192.168.1.5     Mon Jul  1 12:00:00 - 12:30:00  (00:30:00)

    -f 指定读取其他日志文件(如旧的 wtmp 文件),结合 -F 显示完整时间。

常用参数选项

  • -n, –limit <行数>
    限制输出的行数。例如 last -n 10 显示最近 10 条记录。

  • -x, –system
    显示系统级事件(如 shutdown、reboot 等)。

  • -a, –hostlast
    将主机名或 IP 地址显示在最后一列。

  • -i, –ip
    将 IP 地址以数字格式显示(禁用主机名解析)。

  • -t, –time <时间>
    仅显示指定时间(格式为 YYYYMMDDHHMMSS)之前的记录。

  • -F, –fulltime
    显示完整的登录和注销时间(包括秒)。

  • -R, –nohostname
    隐藏主机名字段,简化输出。

  • -f, –file <文件>
    指定读取其他日志文件(默认读取 /var/log/wtmp)。

原厂文档

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
NAME

       last - list logins on the system

SYNOPSIS

       last   [ -num | -n num | --lines num ]
              [ -f filename | --file filename ]
              [ people ...  ] [ ttys ...  ]
              [ --complain ] [ --no-truncate-ftp-entries ]
              [ -x | --more-records ] [ -a | --all-records ]
              [ --tw-leniency num ] [ --tw-suspicious num ]
              [ -i | --ip-address ] [ --debug ] [ -w | --wide ]
              [ -s | --print-seconds ] [ -y | --print-year ]
              [ -V | --version ] [ -h | --help ]

DESCRIPTION

       last  looks  through  the  file wtmp (which records all logins/lo‐
       gouts) and  prints  information  about  connect  times  of  users.
       Records are printed from most recent to least recent.  Records can
       be specified by tty and username.  tty names can be abbreviated:
                                     last 0
       is equivalent to
                                   last tty0.

       Multiple arguments can be specified:
                               last root console
       will  print  all  of the entries for the user root and all entries
       logged in on the console tty.

       The special users reboot and shutdown log in when the  system  re‐
       boots or (surprise) shuts down.
                                  last reboot
       will produce a record of reboot times.

       If last is interrupted by a quit signal, it prints out how far its
       search in the wtmp file had reached and then quits.

OPTIONS

       -n num, --lines num
              Limit the number of lines that last outputs.  This is dif‐
              ferent from u*x last, which lets you specify the number
              right after a dash.
       -f filename, --file filename
              Read from the file filename instead of the system's wtmp
              file.
       --complain
              When the wtmp file has a problem (a time-warp, missing
              record, or whatever), print out an appropriate error.
       --tw-leniency num
              Set the time warp leniency to num seconds.  Records in wtmp
              files might be slightly out of order (most notably when two
              logins occur within a one-second period - the second one
              gets written first).  By default, this value is set to 60.
              If the program notices this problem, time is not assigned
              to users unless the --timewarps flag is used.
       --tw-suspicious num
              Set the time warp suspicious value to num seconds.  If two
              records in the wtmp file are farther than this number of
              seconds apart, there is a problem with the wtmp file (or
              your machine hasn't been used in a year).  If the program
              notices this problem, time is not assigned to users unless
              the --timewarps flag is used.
       --no-truncate-ftp-entries
              When printing out the information, don't chop the number
              part off of `ftp'XXXX entries.
       -x, --more-records
              Print out run level changes, shutdowns, and time changes in
              addition to the normal records.
       -a, --all-records
              Print out all records in the wtmp file.
       -i, --ip-address
              Some machines store the IP address of a connection in a
              utmp record.  Enabling this option makes last print the IP
              address instead of the hostname.
       -w, --wide
              By default, last tries to print each entry within in 80
              columns.  Use this option to instruct last to print out the
              fields in the wtmp file with full field widths.
       --debug
              Print verbose internal information.
       -s, --print-seconds
              Print seconds when displaying dates.
       -y, --print-year
              Print year when displaying dates.
       -V, --version
              Print last's version number.
       -h, --help
              Prints the usage string and default locations of system
              files to standard output and exits.

FILES

       wtmp
              The system wide login record file. See wtmp(5) for further
              details.

AUTHOR

       The GNU accounting utilities were written by Noel Cragg
       <noel@gnu.ai.mit.edu>. The man page was added by Dirk Eddelbuettel
       <edd@qed.econ.queensu.ca>.

SEE ALSO

       who(1), wtmp(5)

COLOPHON

       This page is part of the psacct (process accounting utilities)
       project.  Information about the project can be found at 
       ⟨http://www.gnu.org/software/acct/⟩.  If you have a bug report for
       this manual page, see ⟨http://www.gnu.org/software/acct/⟩.  This
       page was obtained from the tarball acct-6.6.4.tar.gz fetched from
       ⟨http://ftp.gnu.org/gnu/acct/⟩ on 2024-02-02.  If you discover any
       rendering problems in this HTML version of the page, or you
       believe there is a better or more up-to-date source for the page,
       or you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a
       mail to man-pages@man7.org