View All Users Who Have Ever Logged Into Your Linux Server

Previously, I explored how to view all the users that are currently logged into my Linux server. A natural extension to that desire is to see all users who have logged into the server in the past. While current users are kept track of with the utmp file, past logins and logouts are kept track of in the wtmp/wtmpx file.

One way is to use the `last` command. My regular work laptop’s `last` output is rather boring:

wesley pts/7 :0.0 Wed Feb 15 19:57 - 20:42 (00:44)
wesley pts/6 :0.0 Tue Feb 14 20:53 - 21:18 (00:25)
wesley pts/5 :0.0 Tue Feb 14 20:46 still logged in
wesley pts/4 :0.0 Tue Feb 14 17:02 - 20:46 (03:43)
wesley pts/3 :0.0 Tue Feb 14 16:34 still logged in
wesley pts/2 :0.0 Tue Feb 14 16:25 - 16:26 (00:01)
wesley pts/1 :0.0 Tue Feb 14 16:24 still logged in
wesley tty1 :0 Tue Feb 14 12:28 still logged in
reboot system boot Tue Feb 14 12:27 - 22:41 (1+10:14)
wesley tty1 :0 Tue Feb 14 09:19 - down (00:58)

If there is a specific user that you’d like to hone in on, use last [username] thusly:

# last root
root     pts/0        [ip removed]. Tue Feb 14 18:22   still logged in
root     pts/0        [ip removed]. Sun Feb 12 00:42 - 01:50  (01:07)
root     pts/0        [ip removed]. Sat Feb 11 16:24 - 19:41  (03:17)
root     pts/0        [ip removed]. Sat Feb 11 16:21 - 16:23  (00:02)

A useful switch when trying to hone in on remote logins is the -a switch which appends hostnames to the end of the table. -d will do a reverse lookup on remote IP addresses as well. A useful way to use this would be to see from which IP addresses and hosts a certain user account accesses your server. In my case, I know that only two people should theoretically have access to a certain FTP address. If I see that user account logging in from IP blocks in Namibia, I should probably be worred.

Another place to look for past logins is in /var/log/secure log files. They will also show failed login attempts. You could perform the following to find certain strings that show whatever events you’re interested in:

cat secure* | grep Accepted

However you will be in peril of winning a “Useless Use of Cat Award“.

A similar but different command is `lastlog` that by default prints out each user account that is on your machine along with the the account’s last login time.

someuser@someserver [/]# lastlog
Username Port From Latest
someuser pts/0 [ip removed]. Tue Feb 14 18:22:32 -0500 2012
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**

Lastlog itself merely scrys into /var/log/lastlog. You can modify the date from which it looks back to see when the last login occurred.

As a bonus, try `lastb` to see all the failed login attempts on your machine. Prepare to weep.

How do you figure out who was logged into your server and when? What better tools do you know of? I know none of the above are truly audit-level methods. Let me know in the comments below.


  1. Dave

    March 5, 2012 at 9:53 am

    By default, Ubuntu rotates the wtmp file on the first of every month. You can use last -f /var/log/wtmp.1 to get the logins from last month.

    If you want to keep a record of logins longer than that, you will want to edit your logrotate config.


    • Wesley David

      March 5, 2012 at 11:10 am

      Excellent additional information. Thanks!


Leave a Reply

Follow TheNubbyAdmin!

follow us in feedly

Raw RSS Feed:

Contact Me!

Want to hire me as a consultant? Have a job you think I might be interested in? Drop me a line:

Contact Me!

Subscribe via Email

Your email address is handled by Google FeedBurner and never spammed!

The Nubby Archives

Circle Me on Google+!

Photos from Flickr

Me on StackExchange

The IT Crowd Strava Group

%d bloggers like this: