lastcomm Command Monitor User Activity Previously Executed Commands

Lastcomm command is used to monitor user activity on Linux. What does it mean.? Everything in Linux which done by running commands so using lastcomm command monitor user activity previously executed commands.

Personally we used this utility in my organization to find. A few times users run some commands which is dangerous to the environment  after running they will not accept, we have to find the proof to say they run. In this article we are going to see how to do user activity monitoring.


lastcomm [Command Name]
lastcomm [User Name]
lastcomm [Terminal]

How to install psacct in RHEL / Centos and Ubuntu

# yum install psacct -y
# sudo apt-get install acct

Lastcomm Command Monitor User Activity Previously Executed Commands

By default psacct service status will be on stopped status, we have to start service so that user activity can be monitored

# systemctl status psacct
# systemctl enable psacct
# systemctl start psacct
psacct service status

psacct service status

[root@ArkitServer ~]# lastcomm

lastcomm command without any arguments will give all the commands which run on system. 

How to understand command output

For each entry the following information is printed:

  • Command name of the process
  • Flags, as recorded by the system accounting routines:
  • S – Command executed by super-user
  • F – Command executed after a fork but without a following exec
  • C – Command run in PDP-11 compatibility mode
  • D – Command terminated with the generation of a core file
  • X – Command was terminated with the signal SIGTERM
  • The name of the user who ran the process
  • Time the process started
lastcomm command output

lastcomm command output


To Fetch the details by user name lastcomm command and provide user name will automatically gives only commands which are run by particular user

# lastcomm arkit
lastcomm username

lastcomm username

Know particular command in detailed when it run and run by whom, run terminal details and its duration

# lastcomm ls
lastcomm command

lastcomm command


Commands / User run commands from particular terminal can also be identified using below

# lastcomm pts/0
lastcomm terminal

lastcomm terminal

Combining all together, in single command also works with lastcomm command. Simple way to get required details

# lastcomm pts/0 arkit ls

Instead of getting the data from direct console output simple look out from file using below command options

# lastcomm -f /var/log/lastlog
# lacomm -f /var/log/lastlog arkit

That’s it about lastcomm command monitor user activity previously executed commands by users. wiki

Related Articles

AIX Commonly used commands

Add user without using useradd command in Linux

Thanks for your wonderful Support and Encouragement


Ravi Kumar Ankam

My Name is ARK. Expert in grasping any new technology, Interested in Sharing the knowledge. Learn more & Earn More

Leave a Reply

Your email address will not be published. Required fields are marked *