Linux / Unix: lastcomm Command Examples

Author: Last updated: January 28, 2014 1 comment

I am a new Linux and Unix system user. How do I find previously executed commands by my users on Linux or Unix-like operating systems?

You need to use lastcomm command to display information about previously executed commands on Linux or Unix based systems.[donotprint]

lastcomm command details
DescriptionShow last commands executed
CategoryN/A
DifficultyEasy
Root privilegesYes
Estimated completion time5m
Contents
[/donotprint] You need to install psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa.
Read from accounting from file

Purpose

lastcomm prints out information about previously executed commands.

Syntax

The basic syntax is as follows:

lastcomm [commandNameHere] lastcomm [userNameHere] lastcomm [terminalNameHere]

If no command line arguments provided, lastcomm shows information about all the commands recorded during the /var/account/pacct file’s lifetime. If called with one or more of commandNameHere, userNameHere, or terminalNameHere, only records containing those items will be displayed.

lastcomm command examples

Open the Terminal app and type the following command to show information about all previously executed commands recorded in the /var/account/pacct:
# lastcomm
# lastcomm | more
Sample outputs:

Fig.01: lastcomm in action

Understanding lastcomm output

For each line, the following information is displayed by lastcomm on Linux based system:

  1. The command name of the process.
  2. Flag as follows:
    1. S : Command executed by super-user
    2. F : Command executed after a fork but without a following exec
    3. C : Command run in PDP-11 compatibility mode (VAX only)
    4. D : Command terminated with the generation of a core file
    5. X : Command was terminated with the signal SIGTERM
  3. Command name of the process.
  4. The name of the user who ran the process.
  5. Time the process started.

Display specific commands executed on the system

To show information about commands named rsync executed:
# lastcomm rsync
Sample outputs:

rsync             S     root     __         0.03 secs Tue Jan 28 10:30
rsync             SF    root     __         0.00 secs Tue Jan 28 10:30
rsync             S     root     __         0.02 secs Tue Jan 28 10:25
rsync             SF    root     __         0.00 secs Tue Jan 28 10:25
rsync             S     root     __         0.02 secs Tue Jan 28 10:20
rsync             SF    root     __         0.00 secs Tue Jan 28 10:20
rsync             S     root     __         0.03 secs Tue Jan 28 10:15
rsync             SF    root     __         0.00 secs Tue Jan 28 10:15

Display commands executed by user

To show information about commands executed by the nixcraft user, type:
# lastcomm nixcraft
Sample outputs:

php-cgi            F    nixcraft     __        17.86 secs Tue Jan 28 08:41
php-cgi            F    nixcraft     __        17.97 secs Tue Jan 28 08:41
lighttpd           F    nixcraft     __         0.00 secs Tue Jan 28 07:09
lighttpd          S     nixcraft     pts/0      0.00 secs Tue Jan 28 07:09
php-cgi            F  X nixcraft     __         4.83 secs Tue Jan 28 06:30
php-cgi            F  X nixcraft     __         0.59 secs Tue Jan 28 07:08
php-cgi            F  X nixcraft     __        24.13 secs Tue Jan 28 06:42
lighttpd           F    nixcraft     __       116.24 secs Sun Jan 26 07:13
php-cgi            F  X nixcraft     __         0.81 secs Tue Jan 28 07:02
php-cgi               X nixcraft     __         0.06 secs Sun Jan 26 07:13
php-cgi               X nixcraft     __         0.21 secs Sun Jan 26 07:13
php-cgi            F    nixcraft     __        25.91 secs Tue Jan 28 06:36
php-cgi            F    nixcraft     __        22.05 secs Tue Jan 28 03:15

Display commands executed by user on specific terminal

To show information about commands executed on the pts/0 terminal, enter:
# lastcomm pts/0

Putting it all together

You can combine user-name, terminal and command names to display information about commands named php-cgi executed by the root user on the pts/4 terminal, enter:
# lastcomm php-cgi root pts/4
To find out which users used command ‘useradd’ and which users were logged into tty5, type:
# lastcomm useradd tty5

Read from file rather than the default accounting file

To read accounting from file /var/adm/pacct instead of the default accounting file, type:
lastcomm -f /var/adm/pacct
## user name ##
# lastcomm -f /var/adm/pacct nixcraft

## tty/1 terminal ##
lastcomm -f /var/adm/pacct tty/1

Related media

This tutorial is also available in a quick video format.

See also
  • /var/account/pacct (Linux) or /var/account/acct file.
  • lastcomm(1) Linux/Unix command man page
🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
UP NEXT
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • Richard Sims Aug 12, 2015 @ 19:27

    The lastcomm output description needs work: it does not agree with reality, and claims that the command name appears twice in the report, which doesn’t make sense.

    Reply Link

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.

Next FAQ:

Previous FAQ: