|System Management Commands
lastlog - reports the most recent login of all users or of a given user
lastlog formats and prints the contents of the last login log /var/log/lastlog file. The login-name, port, and last login time will be printed. The default (no flags) causes lastlog entries to be printed, sorted by their order in /etc/passwd.
The options which apply to the lastlog command are:
-b, --before DAYS
-R, --root CHROOT_DIR
-t, --time DAYS
-u, --user LOGIN|RANGE
The users can be specified by a login name, a numerical user ID, or a RANGE of users. This RANGE of users can be specified with a min and max values (UID_MIN-UID_MAX), a max value (-UID_MAX), or a min value (UID_MIN-).
If the user has never logged in the message ** Never logged in** will be displayed instead of the port and time.
Only the entries for the current users of the system will be displayed. Other entries may exist for users that were deleted previously.
The lastlog file is a database which contains info on the last login of each user. You should not rotate it. It is a sparse file, so its size on the disk is usually much smaller than the one shown by "ls -l" (which can indicate a really big file if you have in passwd users with a high UID). You can display its real size with "ls -s".
The following configuration variables in /etc/login.defs change the behavior of this tool:
No LASTLOG_UID_MAX option present in the configuration means that there is no user ID limit for writing lastlog entries.
Large gaps in UID numbers will cause the lastlog program to run longer with no output to the screen (i.e. if in lastlog database there is no entries for users with UID between 170 and 800 lastlog will appear to hang as it processes entries with UIDs 171-799).
Having high UIDs can create problems when handling the <term> /var/log/lastlog</term> with external tools. Although the actual file is sparse and does not use too much space, certain applications are not designed to identify sparse files by default and may require a specific option to handle them.