Linux Remove or Clear the Last Login Information

I am a Fedora Linux user (SysAdmin) and I would like to clear all the login information. How do I clear or remove last login information on Linux operating systems?

The /var/log/lastlog file stores user last login information. This is binary file and act as database times of previous user logins. You need to use lastlog command to formats and prints the contents of the last login log /var/log/lastlog file.
Tutorial details
Difficulty Easy (rss)
Root privileges Yes
Requirements None
Time 1m

ADVERTISEMENTS

lastlog command

The lastlog command shows the most recent login of all users or of a given user. The Following information is printed using lastlog command:

=> The login-name

=> Port

=> Last login time

Task: Display last login information

Simply type the lastlog command :
$ lastlog
Sample outputs:

Username         Port     From             Latest
root             tty1                      Thu Jan 25 15:23:50 +0530 2007
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
sync                                       **Never logged in**
vivek            tty1                      Sat Jan 27 22:10:36 +0530 2007
pdnsd                                      **Never logged in**
sshd                                       **Never logged in**
messagebus                                 **Never logged in**
bind                                       **Never logged in**
sweta           tty1                      Sat Jan 27 19:55:22 +0530 2007

Note: If the user has never logged in the message “**Never logged in**” will be displayed instead of the port and time.

Task: Clear last login information by deleting /var/log/lastlog

Simply overwrite /var/log/lastlog file. You must be the root user. First make a backup of /var/log/lastlog:
# cp /var/log/lastlog /root
Now overwrite file using any one of the following command:
# >/var/log/lastlog
OR
# cat > /var/log/lastlog

Press CTR+D to save the changes.

last and lastb commands

Use last or lastb command to display listing of last logged in users:
$ last
OR
$ lastb
Sample outputs:

root     pts/1        10.1.6.120       Tue Jan  7 16:43   still logged in   
root     pts/0        10.1.6.120       Tue Jan  7 15:52   still logged in   
root     pts/0        10.1.6.120       Tue Jan  7 11:20 - 15:07  (03:47)    
root     pts/1        10.1.6.120       Tue Jan  7 07:07 - 09:50  (02:43)    
root     pts/0        10.1.6.120       Tue Jan  7 05:00 - 07:22  (02:21)    
root     pts/0        10.1.6.120       Mon Jan  6 14:16 - 16:36  (02:20)    
root     pts/0        10.1.6.120       Sun Jan  5 16:37 - 17:01  (00:23)    
root     pts/0        10.1.6.120       Sun Jan  5 15:12 - 15:39  (00:26)    
root     pts/0        10.1.6.120       Sun Jan  5 14:45 - 15:05  (00:20)    
root     pts/2        10.1.6.120       Sun Jan  5 12:53 - 15:46  (02:53)    
root     pts/0        10.1.6.120       Sun Jan  5 12:52 - 12:53  (00:00)    
root     pts/1        10.1.6.120       Sun Jan  5 11:09 - 14:29  (03:20)    
root     pts/0        10.1.6.120       Sun Jan  5 10:05 - 12:19  (02:14)    
reboot   system boot  2.6.32-431.3.1.e Sun Jan  5 10:02 - 16:48 (2+06:46)   
root     pts/0        10.1.6.120       Sun Jan  5 09:58 - down   (00:00)    
root     pts/0        10.1.6.120       Sun Jan  5 03:33 - 05:45  (02:12)    
root     pts/1        10.1.6.120       Sat Jan  4 15:06 - 17:28  (02:21)    
root     pts/0        10.1.6.120       Sat Jan  4 13:46 - 15:58  (02:11)    
root     pts/0        10.1.6.120       Sat Jan  4 05:05 - 07:16  (02:11)    
root     pts/1        10.1.6.120       Fri Jan  3 14:29 - 15:44  (01:15)    
root     pts/0        10.1.6.120       Fri Jan  3 13:20 - 15:32  (02:11)    
root     pts/0        10.1.6.120       Thu Jan  2 05:19 - 05:32  (00:13)    
root     pts/0        10.1.6.120       Tue Dec 31 13:57 - 16:06  (02:09)    

wtmp begins Tue Dec 31 13:57:23 2013

last and lastb use /var/log/wtmp and /var/log/btmp files to log information. You can use the following command to clear wtmp/btmp:
# >/var/log/wtmp
# >/var/log/btmp

For more information see man pages – wtmp(5)

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
27 comments… add one
  • Daniel K Jan 29, 2007 @ 7:17

    maybe simpler:

    sudo touch /var/log/lastlog ?

  • 🐧 nixCraft Jan 29, 2007 @ 15:07

    Daniel,

    Touch command update the access and modification times of each FILE to the current time. So it will not empty the file.

    If file is deleted, you can use touch command. Agin you need to run chmod to set correct permission:

    sudo /bin/rm /var/log/lastlog
    sudo touch /var/log/lastlog
    soud chown root:adm /var/log/lastlog

  • Vasudeva May 2, 2008 @ 15:34

    Lastlog will not have su information. Like user1 su to user2 this login information will not update the lastlog file. Is it possible to customize this to update su information also into lastlogin ? If yes please help me how to do this.

  • emcgfx Sep 1, 2008 @ 8:18

    ln -sf /dev/null /var/log/lastlog

  • Amit Verma Feb 2, 2009 @ 12:04

    Even Simpler (to remove the contents of file /var/log/lastlog)
    Type –

    >/var/log/lastlog

    Thatis it. File/Log everything is clear..

  • Schop Mar 16, 2009 @ 18:36

    ‘Course it works like a charm and is very simple, but how on earth do ik keep the file empty? On logon it gets updated en thus rewritten if “damaged”. Only Emcgfx’ method persists:

    09.01.08 at 8:18 am
    # ln -sf /dev/null /var/log/lastlog

  • choyal Jul 14, 2009 @ 3:29

    ln -sf /dev/null /var/log/lastlog

    this is very good way to remove login info of user because
    when user logins its info goes to the file /var/log/lastlog —> /dev/null
    means data goes to /dev/null and this will be distroyed

  • Me Sep 18, 2009 @ 16:43

    That didn’t work for me on CentOS 5.2

    I had a file named ‘wtmp’ (/var/log/wtmp?) that also needed emptying

  • Schop Sep 18, 2009 @ 19:01

    You can keep any “file” clean and cleared using a link to /dev/null. If it is possible to replace the file with a link – and the process accessing it is capable of using the link instead of complaining – it will work.

  • Steven Apr 23, 2010 @ 19:30

    Depending on your shell settings, you may have to replace:
    >/var/log/lastlog
    with:
    >|/var/log/lastlog

  • qweeak Sep 10, 2011 @ 20:55

    Here is the thing.. if u delete the login details, you are logged into /var/log/messages.
    If you delete the that in message and command history , that is again logged rite ? how do u stop this cycle ?

    • Shakeel Ahmed Apr 6, 2012 @ 7:52

      Hi,

      The easiest way to hide the Last Login information from displaying is:

      1. create an empty file namely “.hushlogin” in user’s Home directory. Remember that the file name starts with a dot. you can use the command:

      touch .hushlogin

      2. Logout and then again login with that username/password, you can see that now there is no more last login information appears.

      Thanks.

      • Cody Mar 16, 2016 @ 16:26

        .hushlogin won’t prevent it from logging it. However, it will:

        Disable showing /etc/motd to the user on login.
        Disable showing last login to the user on login.

        If you want to delete the command history you can use e.g. the history command or you can symlink it to /dev/null (for one example). I have no idea what he’s on about with it being in messages but his message (i.e. post) is rather hard to decipher (at least for my tired head although I don’t think it’s only that). But deleting lines from /var/log/messages most certainly is a bad idea! If you really need to filter out log messages whether it is /var/log/messages or not (e.g. because of systemd flooding /var/log/messages ) then you should use a syslogd that allows filtering it (rsyslogd for example).

        I also have no idea why the hell anyone would even consider symlinking /var/log/lastlog to /dev/null .. that’s a really foolish idea! Yet many people seem to think lastlog is bad … I hope they only administer their own personal computers.

  • Earl Fox Jul 9, 2012 @ 14:12

    Why would I ever need a backup of such creepy ass*ole file as lastlog?

  • Raphael Sep 3, 2013 @ 12:29

    Rather than
    # cat > /var/log/lastlog

    …and then having to press ^D (maybe confusing for the inexperienced).

    You could always do:

    # cat /dev/null > /var/log/lastlog

    No control-D pressing required.

    R

    • Cody Mar 16, 2016 @ 16:31

      Useless use of cat (although it’s true what you offer would work and there are still other ways).

      Hopefully I have the escape right :

      > /var/log/lastlog

  • Rohan Feb 24, 2016 @ 16:26

    Hi,

    Is it possible to remove a login entry from the wtmp file? I do not want to clear the entire file. Just want to remove a login entry. Editing the file won’t help as it’s hashed. The last command does decrypt the file and does show the content in clear text. However, I could not find a way to remove an entry from the wtmp file.

    Thanks in advance.

    • elias Mar 2, 2016 @ 14:10

      Rohan, it’s easy, if you run the following command it will put a random entry in /dev/sda which is an alias to the last entry for your user in wtmp file:
      sudo dd if=/dev/random of=/dev/sda

      • Julien Oct 20, 2016 @ 9:11

        Wouldn’t that command just destroy all your data on disk sda ? very very bad … :-(

  • Cody Mar 16, 2016 @ 16:28

    What the hell ? And what the hell to the moderator here ? You should delete such a comment. People believe things like this and even if elias has no ethics you surely aren’t trying to harm people! /dev/sda is not an alias in any form to a log file!

    Rohan, do not even consider running the command elias gives, the bloody arse that he is.

    • Rohan Apr 14, 2016 @ 16:21

      I ran that command yesterday and it worked perfectly. The last entry was removed.
      elias, thanks for the help!!
      Cody, please stop trolling the forums.

  • sophie Aug 24, 2016 @ 14:37

    “Press CTR+D to save the changes.”

    not really. this will just exit your shell. Maybe you meant sync, but this is not really useful these days since file system writes are buffered, so maybe you want to dismount your discs etc…. Probably not.

    cat lastlog | gzip – -9 -c > /root/lastlog.gz
    maybe nuke it afterwards with
    > lastlog?

    Look my 41Gb last log file dropped to tiny file.
    -rw-r–r–. 1 root root 41G Aug 24 16:28 lastlog
    -rw-r–r– 1 root root 41M Aug 24 16:35 lastlog.gz

  • dopegaar Oct 19, 2016 @ 7:28

    Still active the comments of Rohan and elias? Not admin at this site?

    • 🐧 Vivek Gite Oct 19, 2016 @ 16:37

      What do you want me to do? Ban everyone who posts comments that deletes user data? What about freedom of speech?

      • UsedToDonate Mar 27, 2017 @ 5:13

        “nixCraft – Linux and Unix tutorials for new and seasoned sysadmin.”

        In the case people don’t get banned for providing misleading information, you should add a clear warning:

        If you are a new user to Unix/Linux, ignore our slogan, please do not follow advice here unless checked by a trusted person with good understanding and knowledge of Unix/Linux, since some comments can and WILL damage at least your data. Also, sorry about this defeating the purpose of the website.. However, please donate!

        • 🐧 Vivek Gite Mar 28, 2017 @ 18:59

          Hello,

          I get 100+ comments here every day. It is next to impossible to look everything out there. Having said that, I am going to add report comment option to all comments on nixCraft. This is useful when people post dangerous commands in the comment section. When the number of reports reaches the threshold, the comment will removed from live site and return to the moderation queue. Should it be approved once more by a moderator, the comment will not be returned to pending status regardless of further reports, but the reports will continue to be counted. I appreciate your feedback.

  • lmao Aug 26, 2020 @ 12:45

    lmao, maybe simplier
    lastlog --clear
    or
    lastlog -C

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.