Every time you log in to your Linux® system, a log entry is made.  It is important for security, what if you logged in while you were asleep?  Either you were sleep typing or someone got your password.  Either way, that’s important information.  Lucky for us, Linux® logs this and there’s an easy way to see when you logged in.  That command is last.

If someone does log in and pretend to be you, then that person who isn’t you wants you not to know that you logged in when you didn’t actually log in.

Wait, let me try that again.

If the bad guy logs into the system, he wants to hide from you that he logged in.

Ultron went traipsing around the Internet and he didn’t care if anyone knew what he was up to.

Ultron up to no good

Other bad guys do care so their first attempt is to remove these messages.

Linux® tries to make this hard.  Most log files are straight boring plain text.  That means you can look at them and even edit them and no one will know the difference.

The file that last reads from isn’t like that. It’s a binary file, which means that you an’t edit it at all without mucking things up.

The output of the command looks like this:

computerlamp    pts/2        console Thu Mar 15 20:53   still logged in
computerlamp    pts/2        console Wed Mar 14 20:52 - 20:53  (00:00)
computerlamp    pts/2        console Fri Mar  9 21:24 - 21:34  (00:10)
computerlamp    pts/1        console Sat Feb 24 15:56 - 17:13  (01:17)
computerlamp    pts/0        console Fri Feb 23 14:30 - 15:47  (01:17)
reboot   system boot         console Fri Feb 23 13:59         (20+05:53)
computerlamp    pts/2        console Wed Feb 21 20:06 - 20:16  (00:09)

It shows you when I logged into the system, when I logged out, it shows you that there was a reboot of the system as well.  If I looked over this and said ‘now wait a minute, I was out of town February 23, what happened there?’ then I would be investigating a possible break in of my system.