All posts
September 9, 20251 min read

Using `last` and `socat` for Fast, Secure Login Session Streaming

The server froze, and the deploy window slammed shut. Seconds mattered, but the system logs showed nothing. You ran last to check who had logged in. You piped it into socat to push the data across to a remote box. The fix worked, but it left a bigger question: how do you use last and socat together with precision, speed, and safety? last is the simplest way to see every login session recorded on your Linux system. It reads from /var/log/wtmp and shows who logged in, from where, and for how long

Free White Paper

Session Management + VNC Secure Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The server froze, and the deploy window slammed shut. Seconds mattered, but the system logs showed nothing. You ran last to check who had logged in. You piped it into socat to push the data across to a remote box. The fix worked, but it left a bigger question: how do you use last and socat together with precision, speed, and safety?

last is the simplest way to see every login session recorded on your Linux system. It reads from /var/log/wtmp and shows who logged in, from where, and for how long. You can sort patterns, filter by date, or watch suspicious entries. With no options, it lists everything in reverse chronological order.

socat is the Swiss Army knife for data transfer over sockets. It moves bytes between two addresses—files, pipes, network sockets, UNIX sockets. It supports SSL, IPv6, UDP, TCP. If netcat is a pocket tool, socat is the full workbench. In the same breath, it can send output from last over TCP to a remote host, capture a real-time stream of login data, or feed it into monitoring pipelines without touching disk.

To combine them, you might run:

Continue reading? Get the full guide.

Session Management + VNC Secure Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
last | socat - TCP:192.168.1.50:9000

This takes the current output of last and sends it straight to another machine on port 9000. No extra hops, no temp files. If you want continuous monitoring, wrap last in watch, or use lastlog for a snapshot of all accounts and chain it through socat. Add TLS options to socat for encrypted transmission. Deploy filters with grep before piping to cut noise.

Common use cases:

  • Centralizing login logs across a cluster
  • Streaming auth events to a SIEM in real time
  • Quick remote analysis without setting up heavier log shipping tools
  • Testing security incident response paths using real data from last

Security matters. By default, last output includes hostnames or IPs. Over public networks, always use socat with openssl: addresses or a trusted VPN. Keep an audit of who can invoke these commands on production machines.

When the clock is ticking and systems are on edge, nothing beats a toolchain that’s fast to compose and safe to run. The last and socat pairing is pure signal: minimal moving parts, maximal control over where your session data goes and how it gets there.

Don’t just read about it. See it live in minutes. Build, stream, and control your own secure last + socat pipeline right now at hoop.dev.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts