lastcomm is a command-line tool that shows a listing of the last commands executed on a Linux system. It is a part of the acct package and it reads the binary file that contains the list of executed commands, usually located at /var/log/pacct or /var/account/pacct.
The lastcomm command provides a list of all the executed commands on the system, including the date and time of the command, the username of the user who ran the command, and the command that was executed. The output can be useful for auditing and troubleshooting purposes, as it can help identify what commands have been executed, when, and by whom.
By default, the lastcomm command will show the most recent executed commands. You can also specify a time range or a specific username to filter the output. By using the -f option, you can specify a different location of the pacct file. It’s worth noting that the pacct file only keeps track of executed commands if process accounting is enabled on the system. To enable process accounting you should use the command accton.
lastcomm Command Examples
1. Print information about all the commands in the acct (record file):
2. Display commands executed by a given user:
# lastcomm --user user
3. Display information about a given command executed on the system:
# lastcomm --command command
4. Display information about commands executed on a given terminal:
# lastcomm --tty terminal_name
In summary, lastcomm is a useful command-line tool for system administrators and security administrators who need to monitor executed commands on a Linux system. It can help identify potential security breaches and take appropriate action, as well as troubleshoot issues that may arise by checking the commands executed and their output.