lastlog vs. last: Understanding Linux Login Reports

While both lastlog and last provide information about user logins on a Linux system, they answer two fundamentally different questions:

lastlog

"What was the single most recent login for every user account on the system?"

last

"What is the complete historical record of all recent login and logout sessions?"

The lastlog Command

The lastlog command provides a snapshot of the last time each user logged in. It is best used for quickly auditing all user accounts to see which ones have been active and which have been dormant.

Feature Description
Purpose To display a summary of the most recent login time for every user defined in /etc/passwd.
Data Source Reads from the binary file /var/log/lastlog. This file is indexed by User ID (UID).
Typical Output A single line per user, showing their username, the port they used, the source IP/hostname (if any), and the timestamp of their single last login. For users who have never logged in, it will explicitly state **Never logged in**.
Key Use Cases
  • Auditing all user accounts on a system.
  • Quickly identifying dormant or unused accounts.
  • Checking if a specific user has ever accessed the system.
Example lastlog

The last Command

The last command provides a detailed, running history of user sessions. It's the go-to tool for investigating activity over a period of time.

Feature Description
Purpose To display a historical list of all login/logout sessions, as well as system reboots and shutdowns.
Data Source Reads from the binary file /var/log/wtmp. This file is appended with new session data as events occur.
Typical Output A chronological list (newest first) of every session. Each entry includes the username, terminal, source IP/hostname, start time, end time, and the session duration. It also includes special entries for system events like reboot.
Key Use Cases
  • Investigating who was logged in during a specific time frame.
  • Troubleshooting issues by correlating them with user activity or system reboots.
  • Tracking the duration of user sessions.
Example last or last <username>

Key Differences Summarized

Aspect lastlog last
Scope One entry per user account. Multiple entries per user; one for each session.
Information Reports only the most recent login. Reports a history of logins, logouts, and duration.
System Events Does not show system reboots. Shows system reboot and shutdown events.
Data File /var/log/lastlog /var/log/wtmp
Primary Question "Who has logged in, and when was their last time?" "What has been happening on this system over time?"

In short, use lastlog for a broad overview of all accounts and last for a detailed forensic history of system access.