Views:
8,642β
Votes: 8β
Tags:
security
users
vnstat
Link:
π See Original Answer on Ask Ubuntu β§ π
URL:
https://askubuntu.com/q/1138206
Title:
How do I find user login history?
ID:
/2019/04/25/How-do-I-find-user-login-history_
Created:
April 25, 2019
Edited: April 25, 2019
Upload:
September 15, 2024
Layout: post
TOC:
false
Navigation: false
Copy to clipboard: false
last
command to the rescue
The last
command shows by a given user name or all user names:
$ last rick
rick tty7 :0 Wed Apr 24 16:25 gone - no logout
rick tty8 :1 Wed Apr 24 16:24 - down (00:00)
rick tty7 :0 Tue Apr 23 20:12 - down (20:06)
rick tty7 :0 Tue Apr 23 18:30 - crash (01:42)
(...SNIP...)
rick tty7 :0 Tue Apr 2 16:52 - down (00:31)
rick tty7 :0 Tue Apr 2 03:14 - crash (13:37)
By default it only shows history for the current month. If you need to go further back in history than one month, you can read the /var/log/wtmp.1
file with the last
command.
last -f wtmp.1 rick
will show the previous monthβs history of logins for user rick
:
$ last -f /var/log/wtmp.1 rick
rick tty7 :0 Sun Mar 31 16:53 gone - no logout
rick tty7 :0 Sat Mar 30 19:18 - down (13:20)
(...SNIP...)
rick tty7 :0 Fri Mar 1 20:55 - down (11:55)
wtmp.1 begins Fri Mar 1 18:23:28 2019
Security is hardened such that normal users canβt write or delete the file:
$ ll /var/log/wtmp.1
-rw-rw-r-- 1 root utmp 107520 Mar 31 16:53 /var/log/wtmp.1
Console only logins
The console uses the login
command which records data to /var/log/lastlog
:
$ ll /var/log/lastlog
-rw-rw-r-- 1 root utmp 292292 Apr 24 16:22 /var/log/lastlog
The lastlog
file though cannot be tampered with so easily when you look at the File Owner and File Group above. βNormalβ users just have read access. Itβs a binary file though so you canβt just cat
it and get meaningful information. Use this command instead:
$ lastlog
Username Port From Latest
root **Never logged in**
daemon **Never logged in**
bin **Never logged in**
sys **Never logged in**
(...SNIP...)
usbmux **Never logged in**
rick tty1 Wed Nov 28 04:19:53 -0700 2018
vnstat **Never logged in**
Itβs interesting to see all the different user IDs that could log in but never have and never should. I was surprised I havenβt logged into the console / terminal since November last year.