Quickly Find Out The Details Of Executed Commands In Linux With lastcomm

The history command in Linux is useful to recall previously used commands. It, however, won’t show the specific details like which command was used when and by whom.

For that, a useful command is lastcomm. It is a part of acct : a GNU accounting utilities package which essentially is for user and system management. This example uses Linux Mint but acct can be installed and used on other Linux distributions too.

So first install it from the Terminal by typing:

sudo apt install acct

installing acct package in Linux Mint

Once installed, first enable the accounting service:

sudo accton on

enabling accounting service in Linux Mint

Then run lastcomm. On its own, lastcomm will show a long list of all the commands executed by various users (including system users) with the most recent ones at the top. The first column shows the command instances, the next shows the users who executed it followed by the terminal session and the time at which the command was finished. The last column shows the time stamp.

Also, certain commands will have the S, F, X, C or D letters next to them. S is if the commands were executed by super user while F means the command was executed through a fork (i.e through a new process). X is for indicating that the command was exited using SIGTERM, while D signifies that a core file was generated when the command was terminated.  C is for compatibility mode.

unfiltered display of lastcomm command in Linux Mint

The long output from lastcomm can, however, be filtered to get the details of specific commands from specific users and from particiular terminal sessions.

Filter using command name:

So to know if a particular command was ever used before and when:

lastcomm --command nameofthecommand

Example: To know if the rm command was used before:

lastcomm --command rm

finding when and who used rm command using lastcomm in Linux Mint

Example: To know when was the last time shutdown command was used:

finding when shutdown was used in Linux Mint using lastcomm command

This will show the details of that executed command along with the users who ran it and the timestamp.

Filter based on specific users:

The lastcomm command can also be used to filter based on specific users. This is useful when you need to know various commands run only by a particular user.

The syntax for that is:

lastcomm --user username

finding various commands executed by specific users in Linux Mint using lastcomm

This will show all the commands run by that specific user with the recent commands at the top. Also, if a command was run with root privileges (sudo), then lastcomm will display these commands as run by root.

You can also use grep to filter the output from before to show only commands from specific users when using the –command parameter.

using grep to filter lastcomm output in Linux Mint

Filter based on terminal:

Other than that, lastcomm also supports filtering command details through virtual terminals. So, if there are various active terminal sessions and you need to know what commands are being run from a specific terminal, the syntax is:

lastcomm --terminal terminalname

finding commands executed from specific terminal in Linux Mint using lastcomm

Finally, there is always the man command to know more about lastcomm:

man lastcomm

man page for lastcomm

This is a useful command for user management.

All done.

Comments are closed.