last [-num | -n num] [-f file] [-t YYYYMMDDHHMMSS] [-R] [-adioxFw] [username..] [tty..]
last作用是顯示近期用戶或終端的登錄情況。通過last命令查看該程序的log,管理員可以獲知誰曾經或者企圖連接系統。
執行last命令時,它會讀取/var/log目錄下名稱為wtmp的文件,並把該文件記錄的登錄系統或終端的用戶名單全部顯示出來。默認顯示wtmp的記錄,btmp能顯示的更詳細,可以顯示遠程登錄,例如ssh登錄。
-num |-n num指定輸出記錄的條數 -f file 指定記錄文件作為查詢的log文件 -t YYYYMMDDHHMMSS 顯示指定時間之前的登錄情況 username 賬戶名稱
tty 終端機編號
(1).選項
-R 不顯示登錄系統或終端的主機名稱或IP -a 將登錄系統或終端的主機名過IP地址顯示在最后一行 -d 將IP地址轉成主機名稱 -I 顯示特定IP登錄情況。 -o 讀取有linux-libc5應用編寫的舊類型wtmp文件 -x 顯示系統關閉、用戶登錄和退出的歷史 -F 顯示登錄的完整時間 -w 在輸出中顯示完整的用戶名或域名
(2).實例
第一列:用戶名
第二列:終端位置(pts/0偽終端,意味着從SSH或telnet等工具遠程連接的用戶,圖形界面終端歸於此類。tty0直接連接到計算機或本地連接的用戶。后面的數字代表連接編號)
第三列:登錄IP或內核(如果是:0.0或者什么都沒有,意味着用戶通過本地終端連接。除了重啟活動,內核版本會顯示在狀態中)
第四列:開始時間
第五列:結束時間(still login in尚未退出,down直到正常關機,crash直到強制關機)
第六列:持續時間
指定顯示記錄的數量(顯示記錄中最后登錄的數量)
[root@CentOS6 桌面]# last -n 10 root pts/0 :0.0 Wed Apr 25 10:12 still logged in root pts/1 :0.0 Wed Apr 25 10:06 - 10:10 (00:03) root pts/0 :0.0 Wed Apr 25 10:06 - 10:10 (00:03) root pts/0 :0.0 Wed Apr 25 10:02 - 10:06 (00:04) root pts/0 :0.0 Wed Apr 25 09:51 - 09:51 (00:00) root pts/0 :0.0 Wed Apr 25 09:45 - 09:51 (00:05) root pts/1 :0.0 Wed Apr 25 09:38 - 09:41 (00:02) root pts/0 :0.0 Wed Apr 25 09:34 - 09:45 (00:11) root pts/0 :0.0 Tue Apr 17 10:46 - 10:48 (00:02) root pts/0 :0.0 Tue Apr 17 10:33 - 10:46 (00:13) wtmp begins Tue Mar 13 18:31:47 2018 [root@CentOS6 桌面]# last -10 root pts/0 :0.0 Wed Apr 25 10:12 still logged in root pts/1 :0.0 Wed Apr 25 10:06 - 10:10 (00:03) root pts/0 :0.0 Wed Apr 25 10:06 - 10:10 (00:03) root pts/0 :0.0 Wed Apr 25 10:02 - 10:06 (00:04) root pts/0 :0.0 Wed Apr 25 09:51 - 09:51 (00:00) root pts/0 :0.0 Wed Apr 25 09:45 - 09:51 (00:05) root pts/1 :0.0 Wed Apr 25 09:38 - 09:41 (00:02) root pts/0 :0.0 Wed Apr 25 09:34 - 09:45 (00:11) root pts/0 :0.0 Tue Apr 17 10:46 - 10:48 (00:02) root pts/0 :0.0 Tue Apr 17 10:33 - 10:46 (00:13) wtmp begins Tue Mar 13 18:31:47 2018
指定查詢的文件,原本默認的是wtmp
[root@CentOS6 桌面]# last -10 -f /var/log/btmp root tty1 :0 Mon Apr 16 09:07 gone - no logout btmp begins Mon Apr 16 09:07:03 2018
將IP 地址轉換為主機地址
[root@CentOS6 桌面]# last -10 -d root pts/0 0.0.0.0 Wed Apr 25 10:12 still logged in root pts/1 0.0.0.0 Wed Apr 25 10:06 - 10:10 (00:03) root pts/0 0.0.0.0 Wed Apr 25 10:06 - 10:10 (00:03) root pts/0 0.0.0.0 Wed Apr 25 10:02 - 10:06 (00:04) root pts/0 0.0.0.0 Wed Apr 25 09:51 - 09:51 (00:00) root pts/0 0.0.0.0 Wed Apr 25 09:45 - 09:51 (00:05) root pts/1 0.0.0.0 Wed Apr 25 09:38 - 09:41 (00:02) root pts/0 0.0.0.0 Wed Apr 25 09:34 - 09:45 (00:11) root pts/0 0.0.0.0 Tue Apr 17 10:46 - 10:48 (00:02) root pts/0 0.0.0.0 Tue Apr 17 10:33 - 10:46 (00:13) wtmp begins Tue Mar 13 18:31:47 2018
顯示指定時間之前的記錄
[root@CentOS6 桌面]# last -10 -t 20180425000000 //之所以展示出來是為了提醒下-t后面的時間寫法 root pts/0 :0.0 Tue Apr 17 10:46 - 10:48 (00:02) root pts/0 :0.0 Tue Apr 17 10:33 - 10:46 (00:13) root pts/0 :0.0 Tue Apr 17 10:26 - 10:26 (00:00) root tty2 Tue Apr 17 10:23 - 10:23 (00:00) root pts/0 :0.0 Tue Apr 17 10:22 - 10:22 (00:00) root pts/0 :0.0 Tue Apr 17 10:22 - 10:22 (00:00) root tty1 :0 Tue Apr 17 09:49 still logged in reboot system boot 2.6.32-642.el6.x Tue Apr 17 09:48 - 10:21 (8+00:32) root pts/0 :0.0 Mon Apr 16 16:13 - 16:20 (00:07) root pts/0 :0.0 Mon Apr 16 15:39 - 16:13 (00:33) wtmp begins Tue Mar 13 18:31:47 2018