22

The last command may show too few lines of user login info, truncated by when the “wtmp begins”.

If I want to get as much as possible last info (e.g., to see if my system was accessed from any unknown/suspicious IP using my username), how can I output the older “last” info?

If I use last -2000, intending to see 2000 lines of output, but the command may only return just a few lines, anything that happened before the “wtmp begins” would be truncated.)

Just wondering somehow if it is possible to output as many lines of login info as possible.

Zanna
  • 72,471
water stone
  • 447
  • last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970. – udiboy1209 Apr 04 '14 at 07:41
  • 1
    that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect. – water stone Apr 04 '14 at 08:57

3 Answers3

27

The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.

But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].

So If you need to look deeper in the login history, try to open one of those files:

last -2000 -f /var/log/wtmp.1 | less
Sylvain Pineau
  • 63,309
  • 1
    To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer – sourav c. Apr 04 '14 at 08:01
  • Good idea, thanks @souravc. I've edited my answer. – Sylvain Pineau Apr 04 '14 at 08:03
  • 1
    Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose? – water stone Apr 04 '14 at 08:21
  • Please create a new question to cover how many rotations should be archived. – Sylvain Pineau Apr 04 '14 at 08:26
  • Related for long-running systems: With GNU last, pass -F (--fulltimes) for full timestamps that include the year. More infos: https://superuser.com/questions/757853/how-can-i-see-the-year-when-i-command-that-last-in-unix-system – pcworld Sep 20 '25 at 19:15
5

If the last -f /var/log/wtmp.1 doesn't give any output this can be because e.g. the record length has changed in a newer version.

A simply option would be then to use utmpdump instead:

utmpdump /var/log/wtmp.1  | less

Oh, and less can be quitted using q (from "quit" ;-) )

Daniele Santi
  • 3,216
Kees
  • 51
  • 1
  • 1
1

Update

Logs in 

/var/log/wtmp.1

are constrained.

Ubuntu 16 and probably 17 have mechanism of deleting logs older than one month. To configure this behavior you should edit:

/etc/logrotate.conf

More info:

Access to logs of startup and shut down

Daniel
  • 397