Quickly list each user's most recent login and spot inactive accounts. 01.04.2026 | reading time: 2 min When auditing logins, the `lastlog` command shows the most recent login time for every user on the system; it is the fastest way to spot accounts that never logged in or went quiet. See it in action Run `lastlog` to get a per-user summary, for example: ```bash lastlog Username Port From Latest root pts/0 192.0.2.10 Thu Apr 1 12:34:56 +0000 2026 alice pts/1 203.0.113.5 Mon Mar 15 09:10:11 +0000 2026 bob Never logged in serviceacct Never logged in ``` To list only accounts that never logged in run: `lastlog | grep "Never logged in"`. Practical tactics `lastlog` reads the binary file `/var/log/lastlog`, so missing entries can be a permission or file-format issue; run `sudo lastlog` if output appears incomplete, and limit checks to human users with a pipeline like `awk -F: '($3 >= 1000){print $1}' /etc/passwd | xargs -n1 lastlog` to focus on real accounts; also use `lastlog | grep "Never logged in"` to generate a quick remediation list. Other tools nearby Use `last` to see recent interactive sessions, `faillog` to inspect authentication failures and lockouts, and `who` or `w` to view current logged-in users; combine these for a fuller login-audit workflow and forensics of suspicious accounts. Wrap-up `lastlog` is a simple, low-noise command that tells a lot about account activity at a glance; learn to combine it with text filters and other login tools to build reliable audit checks, and consider deepening Linux skills for certification paths like CompTIA Linux+ or LPIC-1 with intensive exam preparation at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. utilities security troubleshooting
