last
prints crash
as logout time when there is no logout entry in the wtmp
database for an user session.
The last entry in last
output means that myuser
logged on pts/0
at 12:02 and, when system crashed between 14:18 and 15:03, it should be still logged in.
Usually, in wtmp
there are two entries for each user session. One for the login time and one for the logout time. When a system crashes, the second entry could be missing. So last
supposes that the user was still logged on when the system crashed and prints crash
as logout time.
To be more clear, that two "crash" line are only the two session that were active when the system crashed around 15:00, not two system crash.
I guess this is a three year old post, but I'll respond anyway, for the benefit of anyone else who happens across it in the future, like I just did recently.
From reading other posts and monitoring the output myself over a period of time, it looks like each line lists the start date and time of the session, the end time of the session (but not the end date), and the duration of the session (how long they were logged in) in a format like
(days+hours:minutes)
The reboot user appears to be noted as having logged in whenever the system is started, and off when the system was rebooted or shutdown, and on those lines, the "session duration" information is the length of time (days+hours:minutes) that "session" lasted, that is, how long the system was up before it was shutdown.
For me, the most recent reboot entry shows the current time as the "logged off" time, and the session duration data for that entry matches the current uptime output.
So on this line:
reboot system boot 3.2.13-grsec-xxx Tue Apr 3 07:34 - 09:17 (9+01:42)
The system was started on Tuesday, April 3rd, at 7:34 am, and it was shutdown 9 days and 1 hour and 42 minutes later (on April 12th), at 9:17 in the morning. (Or, this output was gathered at that time, and this is the most recent reboot entry, and "reboot" hasn't actually "logged off" yet. In which case the output will change if you run the last command again.)
Why you would have 2 entries for the reboot user, on April 3rd, that were both 9 days long, is a mystery to me; my systems don't do that.
Best Answer
Without more information it's hard to say, but they pull data from different sources. It's possible that's why.
last
pulls from/var/log/wtmp
which deals with more than just user logins. Virtually any change to the system-wide state is recorded there. For that reason it's an obvious candidate forlogrotate
lastlog
pulls from/var/log/lastlog
which is only concerned with previous logins.It's possible that
/var/log/wtmp
got rotated at some point after that user's login and that's why you're not seeing it.To verify, you can run
last | grep "wtmp begins"
and if that date is after the login date given to you bylastlog
then that's what happened and you would have to look in/var/log
for the rotated copy ofwtmp
and specify it with-f
for examplelast -f /var/log/wtmp.1 | grep IPADDRESS