Your computer/server has several user accounts and you want to check who logged in? There are several system commands you can use.

Table of Contents


Check who is currently connected to a terminal. who displays username (who), terminal name (where), login time (when) and IP address if connected from other computer.

$ who
ricardo  tty7         2022-04-05 11:40 (:0)


last shows a listing of last logged users (or only one user if specified). There are several available parameters but the most important one is -s <time>, to display logins since the specified time.

# Display logins from last 24 hours
last -s -1day
# Display logins from last hour
last -s -1hour
# Display logind from a specific date
last -s 2022-04-08
# Last root logins
last -s -1day root

More parameters:

  • -t <time>: logins until the specified time.
  • -n <maxlines>: display no more than <maxlines> lines.
# from 2022-04-07 00:00 to 2022-04-08 00:00
last -s 2022-04-07 -t 2022-04-08
# last -s -1hour
root     pts/1        XX.XXX.XX.XXX    Fri Apr  8 15:56   still logged in
root     pts/1        XX.XXX.XX.XXX    Fri Apr  8 15:34 - 15:36  (00:01)


lastb is like last but it shows bad login attempts. Available parameters are the same. Root permissions needed.

# Bad root logins
lastb root


Reports the most recent login of all users (or one user if use -u <username>). A useful parameter is -t <days> to show records more recent than <days>.

# lastlog -t 1
Username         Port     From             Latest
root             pts/1    XX.XXX.XX.XX    Fri Apr  8 15:56:29 +0000 2022
rs1vps           pts/1    XXX.XX.XX.XXX   Fri Apr  8 15:07:02 +0000 2022

Extra: remove last login data

Empty /var/log/lastlog and /var/log/wtmp (make backups before if you want).

truncate -s 0 /var/log/lastlog
truncate -s 0 /var/log/wtmp

/var/log/btmp logs only bad login attempts, so you may want to keep this file.

If you have any suggestion, feel free to contact me via social media or email.