UNIX-based Operating Systems are a source of resources for administrators quite wide since in it all tasks are performed through commands independent of the use we have to give them. It can be the creation of a user , access to active processes or simply see the capacity of hard drives, everything is based on commands. But did you know that these UNIX-based systems, such as Linux in this case, integrate a log file called wtmp, did you ever hear it ?, if your answer is you are not in the right place because TechnoWikis will tell you what it is and what does this archive..
What does wtmp mean
We can separate wtmp into the following:
- The letter "w" means when (when) or who (who) either of these two options
- The "tmp" section can also have two meanings, "temporary" or "timestamp".
Regardless of the meaning, this file has the task of capturing and recording all the logon and logout events, which is essential and of great help for many of the tasks that we must perform frequently in the system.
One of the parts that we should consider and that TechnoWikis explains clearly to you, is that the wtmp file is a binary file so that we cannot use a text editor like nano or vi for reading, instead we must resort to the use of a special command called last..
What is the last command
Last (last), is a command that is responsible for displaying the last orders executed and stored in the / var / log / wtmp directory, displaying details such as the list of all connected users from the moment that file was created.
The use of this command handles various parameters that we will see below and later we will see them in practice, the last use options are:
- -num on num: Indicates the number of lines to be displayed in the result.
- -t YYYYMMDDHHMMSS: Displays the status of logins indicating the time specified in year, month or day.
- -f file: this parameter allows you to search in a file other than / var / log / wtmp.
- -R: Deletes the view of the hostname field.
- -a: displays the host name in the last column.
- -d: applies to logins that are not local, in this case Linux stores both the hostname of the remote computer and its IP address.
- -i: displays the IP address in the notation of numbers and points.
- -o: this parameter allows you to read an old wtmp file written by linux-libc5 applications.
- -x: thanks to this parameter we can see the system shutdown events and the execution level changes.
How to use commando last
The basic use of the last command allows you to access the records of the wtmp file and list them in the console, for this you just have to run last and we will see the following.
- The username that logged in.
- Equipment on which it was connected, there, if we see a terminal input: 0 means that the registration was made on the local computer itself.
- The IP address of the computer on which the connection was established.
- The login time and access date.
- The duration of the session in the system.
Are you ready to see the last command in action? TechnoWikis will explain how to use it in Linux. Next, we will see the different uses for the Linux last and lastb b command and thus make different options.
1. How to display a certain number of lines with Linux commands
In some cases it is possible that the results are quite long by different users or by multiple records, we can indicate the number of lines to be displayed using the “-n†parameter where n is the number of lines to be displayed, so if we only want to see the last 3 lines we will execute:
last -3
2. How to deploy network names for remote users with Linux commands
Thanks to the -d (Domain Name System) parameter, we have the opportunity for the last command to resolve the IP addresses of the remote users in order to manage it much more completely, for this we can execute the following:
last -d
3. How to hide my IP in the results with Linux commands
With the -R parameter we can easily hide the IP address in the execution of the command, but you must understand that if we use last for detailed analysis, it is best to not delete the IP addresses:
last -R
4. How to select records by date with Linux commands
With the use of the -s (since) parameter, it is possible to apply a filter in the last command to determine from what date we want to see the events, for example, if we want to visualize all the records from June 3, 2019 we are going to execute the following. As we see, there are only the records from the date indicated..
last -R -s 2019-06-03
5. How to search by specific date with Linux commands
Thanks to the -t (until) parameter it will be possible to specify an end date, that is, it will be possible to select a range of logon records between two defined dates, for example, we want to see the records between May 28 and June 4, we will execute the next:
last -R -s 2019-05-28 -t 2019-06-04
6. How to view date and time formats in last with Linux commands
Step 1
When using the last command, everything related to dates and time is used with the -s and -t parameters, in this case we can use different formats such as:
YYYYMMDDhhmmss YYYY-MM-DD hh: mm: ss YYYY-MM-DD hh: mm - in this case the seconds are set to 00 YYYY-MM-DD - time is defined in 00:00:00 hh: mm: ss - the date is set to the current day hh: mm - the date is set to today and the seconds to 00 now yesterday - time is defined in 00:00:00 today - time is defined at 00:00:00 tomorrow - time is defined at 00:00:00 + 5min -5days
Step 2
We can execute something similar to this:
last -R -s 2019-05-25 10:00 -t 2019-06-04 19:00
Step 3
It is normal that in some cases we do not obtain any type of result, now, if we use the format implemented the seconds, but if we use the scripts and the colon, we will see results:
last -R -s 20190525100000 -t 20190604190000
7. How to search events by date with Linux commands
Step 1
With the last command it is possible to indicate periods of time that can be measured in minutes or days, taking as a criterion the relationship with the current date and time, for example, to search for events from 10 days to 3 days ago we execute:
last -R -s -10days -t -3days
Step 2
In the same way we can search records using the parameters yesterday, today or now, for example, we can display the results of yesterday and today by executing:
last -R -s yesterday -t today
Step 3
Using the now parameter, it will be possible to see the login events that have been executed from 00:00 until when we execute the command:
last -R -s today -t now
8. How to use the Present option with Linux commands
Step 1
Thanks to the -p (present) parameter, it will be possible to determine who logged in at a specific time on the device, there you can use variables such as now or indicate a specific time:
last -R -p 08:00
Step 2
With the use of the now command we can see who has logged in until the moment the order is executed:
9. How to use lastb Linux command
This lastb command is a command that has been developed to read the data of a record called btmp and the primary function of lastb is to list the incorrect or failed login attempts, in case of detecting any record, all entries will be of one Duration of 00:00 since the system was not logged in.
This command must be used as superuser. In this case, incorrect logins have not been detected.
sudo lastb -R
Thanks to this useful command we have the ability to access complete information of the events registered in the system.
