How to view login history on Linux Server
To see login history on a Linux system, you can use the “last” command.
|
1 |
last |
On the screenshot above, it shows “admin.serverok.i” for some of the logins. This is because DNS resolve is enabled in SSH configuration, so IP get converted to hostname and it get truncated. To see the full hostname, run
|
1 |
last -a |
If you don’t want IP converted to hostname, run
|
1 |
last -ai |
To list only the last 10 logins, run
|
1 |
last -n 10 |
-n 10 limit result to last 10 logins.
Login history is stored in the file
|
1 |
/var/log/wtmp |
This file can grow and get rotated over time. If the file gets rotated, when you use the “last” command, it won’t report login history from older files.
|
1 2 3 4 |
root@server12:/var/log# ls -l | grep wtmp -rw-rw-r-- 1 root utmp 935K Aug 7 04:31 wtmp -rw-rw-r-- 1 root utmp 1.1M Jun 3 2017 wtmp-20170603 root@server12:/var/log# |
To see login history from an older file, you need to specify the location of the file using -f argument.
|
1 |
last -f /var/log/wtmp-20170603 |
You can also use the command
|
1 |
utmpdump /var/log/wtmp-20170603 |
To view the last 10 logins with full hostname from the old login file wtmp-20170603, use
|
1 |
last -n 10 -a -f /var/log/wtmp-20170603 |
The file name may differ in your server, check the /var/log folder for actual file names.