Linux-Unix operating systems  is logged system activities some one place  by default logs located un /var/log directory. This post describe about how to get know last logged and log out, shutdown time, system reboot time from the logs. This information stored in wtmp and btmp file.

The wtmp file records all logins and logouts. wtmp is a binary file don't save to any other timestamp for events.

last command is help us to get log details from that files, For example the following command able to view different details,

# last -f /var/log/wtmp


root     pts/0        192.168.1.100     Thu Feb 19 22:39   still logged in

root     pts/0        192.168.1.100     Thu Feb 19 22:01 - 22:02  (00:00)

root     pts/0        192.168.1.100     Thu Feb 19 21:59 - 22:01  (00:02)

To view specific user,
# last -f /var/log/wtmp root


root     pts/0        192.168.1.100     Thu Feb 19 22:39   still logged in

root     pts/0        192.168.1.100     Thu Feb 19 22:01 - 22:02  (00:00)

root     pts/0        192.168.1.100     Thu Feb 19 21:59 - 22:01  (00:02)
# last


root     pts/0        192.168.1.100     Thu Feb 19 22:39   still logged in

root     pts/0        192.168.1.100     Thu Feb 19 22:01 - 22:02  (00:00)

root     pts/0        192.168.1.100     Thu Feb 19 21:59 - 22:01  (00:02)

root     pts/0        192.168.1.100     Thu Feb 19 21:57 - 21:59  (00:01)
# last linuxfaq


linuxfaq pts/2        192.168.1.100     Thu Feb 19 15:50   still logged in

linuxfaq pts/1        192.168.1.100     Thu Feb 19 14:52 - 15:57  (01:05)

linuxfaq pts/1        192.168.1.100     Thu Feb 19 14:47 - 14:50  (00:02)

linuxfaq pts/2        192.168.1.100     Thu Feb 19 12:41 - 13:00  (00:18)
# last | more

# last | less

The following commands view system reboot time,
 
# last reboot


reboot   system boot  2.6.32-71.29.1.e Sun Aug 24 03:30 - 17:17 (179+13:46)

reboot   system boot  2.6.32-71.29.1.e Wed Mar 19 18:58 - 22:45 (157+03:46)

reboot   system boot  2.6.32-71.29.1.e Mon Feb 17 13:18 - 18:57 (30+05:39)

reboot   system boot  2.6.32-71.29.1.e Thu Feb  6 16:33 - 18:57 (41+02:24)



wtmp begins Thu Feb  6 16:33:01 2014

or
# last -R | grep reboot


reboot   system boot  Sun Aug 24 03:30 - 17:19 (179+13:48)

reboot   system boot  Wed Mar 19 18:58 - 22:45 (157+03:46)

reboot   system boot  Mon Feb 17 13:18 - 18:57 (30+05:39)

reboot   system boot  Thu Feb  6 16:33 - 18:57 (41+02:24)

wtmp begins Thu Feb  6 16:33:01 2014

The following command view system reboot time,
 
# last -x shutdown


shutdown system down  2.6.32-71.29.1.e Sat Aug 23 22:45 - 03:30  (04:45)

shutdown system down  2.6.32-71.29.1.e Wed Mar 19 18:57 - 18:58  (00:00)



wtmp begins Thu Feb  6 16:33:01 2014