As a server administrator, you should check last login history to identify whoever logged into the system recently.
Linux is a multi-user operating system and more than one user can be logged into a system at the same time.
It’s keeping bunch of useful information about the users activity such as username, name of the terminal connected, source IP, date and time.
Also, it will show you how long the user being logged into the system.
It will help us to analyze some of the issues. Say for example, if some files get removed in the particular time then we can ask the users whoever logged into the system on the particular time.
Alternatively, we can check these information using aureport tool that produces summary reports of the audit system logs.
Similarly we can use these information for other purpose as well. Is there any anonymous login attempts are found or not.
Also, from which IP address the user has accessed the system.
These information (last login, current login and bad login attempts) can be fetched from the following files.
utmp & wtmp files contains logs for login and logout. These are binary files and we can’t able to see with any text editor.
It’s located on /etc/log directory.
- /var/run/utmp: It contains information about the users who are currently logged onto the system. Who command is used to fetch the information from the file.
- /var/log/wtmp: It contains historical utmp. It keeps the users login and logout history. The last command uses this file to display the information.
- /var/log/btmp: It contains bad login attempts.
What Is last Command?
Last searches back through the file /var/log/wtmp and displays a list of all users logged in (and out) since that file was created.
What Is lastb Command?
Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts.
Difference between pts and tty?
You may see pts and tty when you use the who command, do you know what it is? how they are different?
- A tty is a native terminal device (It could be a server/system console).
- A pty (pseudo terminal device) is a terminal device which is emulated by an other program such as putty, xterm or screen, etc,.
How To Check Login History In Linux Using last Command?
The last command fetch the details from the /var/log/wtmp file and it displays the list of users logged-in and logged-out from system.
If the file has more data then use less or more command to view the information page wise.
# last -15
daygeek pts/0 192.168.1.6 Wed Apr 3 00:02 still logged in
reboot system boot 3.10.0-957.el7.x Tue Apr 2 23:50 - 00:03 (00:13)
daygeek pts/0 192.168.1.6 Tue Apr 2 06:02 - 06:02 (00:00)
reboot system boot 3.10.0-957.el7.x Tue Apr 2 06:00 - 00:03 (18:03)
daygeek pts/1 192.168.1.6 Sat Mar 30 10:05 - 00:18 (14:13)
daygeek pts/0 192.168.1.6 Sat Mar 30 04:14 - 11:21 (07:07)
reboot system boot 3.10.0-957.el7.x Sat Mar 30 04:03 - 00:03 (3+20:00)
ladmin pts/2 192.168.1.6 Fri Mar 29 02:19 - 04:30 (02:11)
user2 pts/2 192.168.1.6 Fri Mar 29 02:10 - 02:10 (00:00)
user1 pts/2 192.168.1.6 Fri Mar 29 02:10 - 02:10 (00:00)
user3 pts/2 192.168.1.6 Fri Mar 29 02:01 - 02:10 (00:08)
daygeek pts/1 192.168.1.6 Fri Mar 29 01:48 - crash (1+02:14)
daygeek pts/0 192.168.1.6 Fri Mar 29 01:38 - crash (1+02:24)
reboot system boot 3.10.0-957.el7.x Fri Mar 29 01:31 - 00:03 (4+22:31)
reboot system boot 3.10.0-957.el7.x Thu Mar 28 16:05 - 00:03 (5+07:58)
How To Check Login History For Particular User In Linux Using last Command?
Just add the desired user name followed by the last command to get the details.
# last [User_Name]
# last daygeek
daygeek pts/0 192.168.1.6 Wed Apr 3 00:02 still logged in
daygeek pts/0 192.168.1.6 Tue Apr 2 06:02 - 06:02 (00:00)
daygeek pts/1 192.168.1.6 Sat Mar 30 10:05 - 00:18 (14:13)
daygeek pts/0 192.168.1.6 Sat Mar 30 04:14 - 11:21 (07:07)
daygeek pts/1 192.168.1.6 Fri Mar 29 01:48 - crash (1+02:14)
daygeek pts/0 192.168.1.6 Fri Mar 29 01:38 - crash (1+02:24)
daygeek pts/1 daygeek-y700 Thu Mar 28 02:27 - 05:27 (03:00)
daygeek pts/0 :0 Thu Mar 28 02:26 - crash (13:39)
daygeek :0 :0 Thu Mar 28 02:26 - crash (13:39)
daygeek pts/2 192.168.1.6 Thu Mar 28 01:53 - crash (00:29)
daygeek pts/0 192.168.1.6 Thu Mar 28 00:51 - crash (01:31)
daygeek pts/1 192.168.1.6 Wed Mar 27 05:04 - crash (21:18)
daygeek pts/0 192.168.1.6 Tue Mar 26 21:45 - 00:51 (1+03:05)
daygeek pts/0 192.168.1.6 Tue Mar 19 02:59 - crash (7+18:36)
daygeek pts/1 192.168.1.6 Tue Mar 19 02:37 - crash (7+18:58)
daygeek pts/0 192.168.1.6 Tue Mar 19 02:36 - 02:45 (00:09)
daygeek pts/1 192.168.1.6 Mon Mar 18 16:21 - 16:22 (00:00)
How To Check Login History For Particular Period In Linux Using last Command?
If you would like to check who was logged in the system for particular period then use the following format.
# last -F | grep -E 'Mar ([ 1-9]|1[0-9]|2[0-9]|30)' | grep 2019
daygeek pts/0 192.168.1.6 Sat Mar 30 04:14:54 2019 - Sat Mar 30 11:21:57 2019 (07:07)
reboot system boot 3.10.0-957.el7.x Sat Mar 30 04:03:20 2019 - Wed Apr 3 00:09:13 2019 (3+20:05)
ladmin pts/2 192.168.1.6 Fri Mar 29 02:19:13 2019 - Fri Mar 29 04:30:25 2019 (02:11)
user2 pts/2 192.168.1.6 Fri Mar 29 02:10:38 2019 - Fri Mar 29 02:10:50 2019 (00:00)
user1 pts/2 192.168.1.6 Fri Mar 29 02:10:22 2019 - Fri Mar 29 02:10:30 2019 (00:00)
user3 pts/2 192.168.1.6 Fri Mar 29 02:01:13 2019 - Fri Mar 29 02:10:01 2019 (00:08)
daygeek pts/1 192.168.1.6 Fri Mar 29 01:48:21 2019 - crash (1+02:14)
root pts/0 192.168.1.3 Tue Mar 19 02:49:09 2019 - Tue Mar 19 02:50:25 2019 (00:01)
daygeek pts/0 192.168.1.6 Tue Mar 19 02:36:14 2019 - Tue Mar 19 02:45:25 2019 (00:09)
reboot system boot 3.10.0-957.el7.x Tue Mar 19 02:33:54 2019 - Wed Apr 3 00:09:13 2019 (14+21:35)
user2 pts/2 192.168.1.6 Mon Mar 18 16:03:13 2019 - Mon Mar 18 18:29:45 2019 (02:26)
daygeek pts/1 192.168.1.6 Mon Mar 18 15:59:52 2019 - Mon Mar 18 16:19:51 2019 (00:19)
reboot system boot 3.10.0-957.el7.x Mon Mar 18 15:52:47 2019 - Mon Mar 18 18:29:46 2019 (02:36)
user2 pts/0 192.168.1.6 Sun Mar 17 07:30:29 2019 - crash (1+08:22)
user1 pts/0 192.168.1.6 Sun Mar 17 07:09:30 2019 - Sun Mar 17 07:21:51 2019 (00:12)
root pts/0 192.168.1.6 Fri Mar 15 16:32:43 2019 - Fri Mar 15 16:33:54 2019 (00:01)
user2 pts/0 192.168.1.6 Fri Mar 15 16:08:23 2019 - Fri Mar 15 16:08:24 2019 (00:00)
root pts/0 192.168.1.6 Fri Mar 15 01:45:10 2019 - down (00:01)
reboot system boot 3.10.0-957.el7.x Fri Mar 15 01:42:46 2019 - Fri Mar 15 01:46:37 2019 (00:03)
root pts/1 192.168.1.6 Sun Mar 10 10:17:51 2019 - Sun Mar 10 10:17:53 2019 (00:00)
reboot system boot 3.10.0-957.el7.x Sun Mar 10 03:28:14 2019 - Fri Mar 15 01:46:37 2019 (4+22:18)
daygeek pts/0 192.168.1.6 Wed Mar 6 08:03:29 2019 - crash (3+18:24)
reboot system boot 3.10.0-957.el7.x Wed Mar 6 07:57:47 2019 - Fri Mar 15 01:46:37 2019 (8+16:48)
daygeek pts/2 192.168.1.6 Mon Mar 4 08:40:14 2019 - Mon Mar 4 08:40:17 2019 (00:00)
daygeek :0 :0 Mon Mar 4 06:02:41 2019 - crash (2+01:55)
For Particular user, use the following format.
# last -F root | grep -E 'Mar ([ 1-9]|1[0-9]|2[0-9]|30)' | grep 2019
root pts/0 192.168.1.3 Tue Mar 19 02:49:09 2019 - Tue Mar 19 02:50:25 2019 (00:01)
root pts/0 192.168.1.6 Tue Mar 19 02:45:46 2019 - Tue Mar 19 02:46:09 2019 (00:00)
root pts/1 192.168.1.3 Mon Mar 18 18:29:18 2019 - Mon Mar 18 18:29:25 2019 (00:00)
root pts/1 192.168.1.3 Mon Mar 18 18:21:34 2019 - Mon Mar 18 18:27:47 2019 (00:06)
root pts/1 192.168.1.3 Mon Mar 18 18:19:09 2019 - Mon Mar 18 18:21:24 2019 (00:02)
root pts/1 192.168.1.3 Mon Mar 18 16:28:46 2019 - Mon Mar 18 16:28:48 2019 (00:00)
root pts/1 192.168.1.3 Mon Mar 18 16:23:54 2019 - Mon Mar 18 16:24:15 2019 (00:00)
root pts/1 192.168.1.3 Mon Mar 18 16:22:53 2019 - Mon Mar 18 16:23:06 2019 (00:00)
root pts/3 192.168.1.7 Mon Mar 18 16:21:38 2019 - Mon Mar 18 16:21:40 2019 (00:00)
root pts/1 192.168.1.6 Mon Mar 18 16:20:07 2019 - Mon Mar 18 16:20:30 2019 (00:00)
root pts/0 192.168.1.6 Fri Mar 15 16:32:43 2019 - Fri Mar 15 16:33:54 2019 (00:01)
root pts/0 192.168.1.6 Fri Mar 15 01:47:12 2019 - crash (13:33)
root pts/0 192.168.1.6 Fri Mar 15 01:45:10 2019 - down (00:01)
root pts/1 192.168.1.6 Sun Mar 10 10:17:51 2019 - Sun Mar 10 10:17:53 2019 (00:00)
root pts/1 192.168.1.6 Sun Mar 10 10:16:08 2019 - Sun Mar 10 10:16:11 2019 (00:00)
root pts/1 192.168.1.6 Sun Mar 10 10:15:18 2019 - Sun Mar 10 10:15:42 2019 (00:00)
How To Check Login History Based On Terminal Connected In Linux Using last Command?
To print the user based on the terminal connected. Use the following format.
# last pts/2
ladmin pts/2 192.168.1.6 Fri Mar 29 02:19 - 04:30 (02:11)
user2 pts/2 192.168.1.6 Fri Mar 29 02:10 - 02:10 (00:00)
user1 pts/2 192.168.1.6 Fri Mar 29 02:10 - 02:10 (00:00)
user3 pts/2 192.168.1.6 Fri Mar 29 02:01 - 02:10 (00:08)
daygeek pts/2 192.168.1.6 Thu Mar 28 01:53 - crash (00:29)
user2 pts/2 192.168.1.6 Mon Mar 18 16:03 - 18:29 (02:26)
daygeek pts/2 192.168.1.6 Mon Mar 4 08:40 - 08:40 (00:00)
How To Check Bad Login History In Linux Using lastb Command?
Lastb is the same as last but it will print the bad login attempts. Since the output was archived in the different file so, i have picked the corresponding file to check the details.
# lastb
# lastb -f /var/log/btmp-20190402
user1 ssh:notty 192.168.1.6 Fri Mar 29 02:17 - 02:17 (00:00)
ladmin ssh:notty 192.168.1.6 Fri Mar 29 02:12 - 02:12 (00:00)
user2 ssh:notty 192.168.1.6 Fri Mar 29 02:00 - 02:00 (00:00)
user1 ssh:notty 192.168.1.6 Fri Mar 29 01:53 - 01:53 (00:00)
daygeek :0 :0 Thu Mar 28 02:26 - 02:26 (00:00)
root ssh:notty 192.168.1.3 Tue Mar 19 02:50 - 02:50 (00:00)
daygeekk ssh:notty 192.168.1.6 Tue Mar 19 02:37 - 02:37 (00:00)
daygeekk ssh:notty 192.168.1.6 Tue Mar 19 02:37 - 02:37 (00:00)
daygeekk ssh:notty 192.168.1.6 Tue Mar 19 02:36 - 02:36 (00:00)
root ssh:notty 192.168.1.3 Mon Mar 18 18:15 - 18:15 (00:00)
root ssh:notty 192.168.1.3 Mon Mar 18 18:14 - 18:14 (00:00)
root ssh:notty 192.168.1.3 Mon Mar 18 18:09 - 18:09 (00:00)
root ssh:notty 192.168.1.3 Mon Mar 18 18:05 - 18:05 (00:00)
user1 ssh:notty 192.168.1.3 Mon Mar 18 16:31 - 16:31 (00:00)
user1 ssh:notty 192.168.1.3 Mon Mar 18 16:30 - 16:30 (00:00)
user1 ssh:notty 192.168.1.3 Mon Mar 18 16:30 - 16:30 (00:00)
root ssh:notty 192.168.1.3 Mon Mar 18 16:29 - 16:29 (00:00)
root ssh:notty 192.168.1.3 Mon Mar 18 16:25 - 16:25 (00:00)
root ssh:notty 192.168.1.3 Mon Mar 18 16:25 - 16:25 (00:00)
root pts/1 Mon Mar 18 16:00 - 16:00 (00:00)
user2 ssh:notty 192.168.1.6 Sun Mar 17 07:22 - 07:22 (00:00)
root ssh:notty 192.168.1.6 Sun Mar 10 10:15 - 10:15 (00:00)
btmp-20190402 begins Sun Mar 10 10:15:14 2019
Run the following format to display hostnames in the last column.
# last -10 -a
daygeek pts/0 Wed Apr 3 00:02 still logged in 192.168.1.6
reboot system boot Tue Apr 2 23:50 - 00:28 (00:38) 3.10.0-957.el7.x86_64
daygeek pts/0 Tue Apr 2 06:02 - 06:02 (00:00) 192.168.1.6
reboot system boot Tue Apr 2 06:00 - 00:28 (18:28) 3.10.0-957.el7.x86_64
daygeek pts/1 Sat Mar 30 10:05 - 00:18 (14:13) 192.168.1.6
daygeek pts/0 Sat Mar 30 04:14 - 11:21 (07:07) 192.168.1.6
reboot system boot Sat Mar 30 04:03 - 00:28 (3+20:25) 3.10.0-957.el7.x86_64
ladmin pts/2 Fri Mar 29 02:19 - 04:30 (02:11) 192.168.1.6
user2 pts/2 Fri Mar 29 02:10 - 02:10 (00:00) 192.168.1.6
user1 pts/2 Fri Mar 29 02:10 - 02:10 (00:00) 192.168.1.6
wtmp begins Fri Feb 15 16:03:13 2019
Run the following format to suppress the hostname field.
# last -10 -R
daygeek pts/0 Wed Apr 3 00:02 still logged in
reboot system boot Tue Apr 2 23:50 - 00:29 (00:38)
daygeek pts/0 Tue Apr 2 06:02 - 06:02 (00:00)
reboot system boot Tue Apr 2 06:00 - 00:29 (18:29)
daygeek pts/1 Sat Mar 30 10:05 - 00:18 (14:13)
daygeek pts/0 Sat Mar 30 04:14 - 11:21 (07:07)
reboot system boot Sat Mar 30 04:03 - 00:29 (3+20:25)
ladmin pts/2 Fri Mar 29 02:19 - 04:30 (02:11)
user2 pts/2 Fri Mar 29 02:10 - 02:10 (00:00)
user1 pts/2 Fri Mar 29 02:10 - 02:10 (00:00)
wtmp begins Fri Feb 15 16:03:13 2019
Run the following format to display system shutdown entries and run level changes.
# last -10 -x
daygeek pts/0 192.168.1.6 Wed Apr 3 00:02 still logged in
runlevel (to lvl 5) 3.10.0-957.el7.x Tue Apr 2 23:52 - 00:30 (00:37)
reboot system boot 3.10.0-957.el7.x Tue Apr 2 23:50 - 00:30 (00:40)
daygeek pts/0 192.168.1.6 Tue Apr 2 06:02 - 06:02 (00:00)
runlevel (to lvl 5) 3.10.0-957.el7.x Tue Apr 2 06:00 - 23:52 (17:52)
reboot system boot 3.10.0-957.el7.x Tue Apr 2 06:00 - 00:30 (18:30)
daygeek pts/1 192.168.1.6 Sat Mar 30 10:05 - 00:18 (14:13)
daygeek pts/0 192.168.1.6 Sat Mar 30 04:14 - 11:21 (07:07)
runlevel (to lvl 5) 3.10.0-957.el7.x Sat Mar 30 04:03 - 06:00 (3+01:56)
reboot system boot 3.10.0-957.el7.x Sat Mar 30 04:03 - 00:30 (3+20:27)
wtmp begins Fri Feb 15 16:03:13 2019
Alternatively, this can be verified via /var/log/secure and /var/log/auth.log file.
For RHEL based systems.
# cat /var/log/secure-20190331 | grep Accepted | awk '{print $1,$2,$3,$9}'
Mar 29 01:38:41 daygeek
Mar 29 01:48:21 daygeek
Mar 29 02:01:13 user3
Mar 29 02:10:21 user1
Mar 29 02:10:38 user2
Mar 29 02:19:13 ladmin
Mar 30 04:14:54 daygeek
Mar 30 10:05:02 daygeek
For Ubuntu based systems.
# cat /var/log/auth.log | grep Accepted | awk '{print $1,$2,$3,$9}'
For failed attempts.
# cat /var/log/secure-20190331 | grep Failed | awk '{print $1,$2,$3,$11}'
Mar 29 01:53:48 user1
Mar 29 02:00:43 user2
Mar 29 02:12:58 ladmin
Mar 29 02:17:41 user1
The lastlog command reports the most recent login of all users. This is very useful if you would like to check which users are not login the server more than 30 to 60 days.
# lastlog
Username Port From Latest
root pts/0 Sat Mar 30 08:04:27 -0500 2019
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
halt **Never logged in**
mail **Never logged in**
ftp **Never logged in**
nobody **Never logged in**
systemd-network **Never logged in**
dbus **Never logged in**
rpcuser **Never logged in**
nfsnobody **Never logged in**
chrony **Never logged in**
qemu **Never logged in**
tss **Never logged in**
ntp **Never logged in**
sssd **Never logged in**
gdm :0 Tue Apr 2 23:52:49 -0500 2019
gnome-initial-setup **Never logged in**
sshd **Never logged in**
avahi **Never logged in**
postfix **Never logged in**
tcpdump **Never logged in**
daygeek pts/0 192.168.1.6 Wed Apr 3 00:02:50 -0500 2019
user1 pts/2 192.168.1.6 Fri Mar 29 02:10:22 -0500 2019
cat **Never logged in**
user2 pts/2 192.168.1.6 Fri Mar 29 02:10:38 -0500 2019
apache **Never logged in**
mysql **Never logged in**
user3 pts/2 192.168.1.6 Fri Mar 29 02:01:13 -0500 2019
ladmin pts/2 192.168.1.6 Fri Mar 29 02:19:13 -0500 2019
0 Comments
Post a Comment