3 Simple Methods to Check Linux Login History

Written by

Reviewed by

Last updated: May 17, 2024

Expert verified

SVG Image

TL;DR

To check your Linux login history, you can try this method:

  1. Open the Terminal by pressing Ctrl + Alt + T
  2. To view login history for all users, type last and press Enter
  3. To view login history for a specific user, type last username (replace username with the actual username) and press Enter
  4. To see the last 10 logins, type last -n 10 and press Enter

Read the guide below to learn different methods to check Linux login history. Also, explore best practices and benefits of checking Linux login history.

Keeping track of who logs into your Linux system is crucial for security and troubleshooting. Have you ever wondered who accessed your system and when? There’s an easy way to find out. In this post, I’ll show you how to check Linux login history. You’ll learn what login history is, why it’s important to monitor it, and the best methods to track login activities. From using simple commands like last to examining log files, we’ll cover everything you need to know to keep your system secure.

What is Linux Login History?

Linux login history is a record of all user login activities on a Linux system. It includes information about who logged in, when they logged in, and from where (such as which computer or IP address). This history helps you track user access and activity over time.

Monitoring login history is crucial for several reasons:

  • Regularly checking your login history helps you spot any unauthorized login attempts, allowing you to take action quickly to secure your system.
  • By monitoring your login history, you can identify suspicious activities and potential security breaches that might compromise your system.
  • Tracking login history ensures that users adhere to company policies and access controls, maintaining the integrity of your system.
  • Login history provides valuable information for troubleshooting user-related issues and understanding their actions on the system.
  • Monitoring login history helps you verify what users are doing on the system, ensuring accountability and transparency.
  • Regularly reviewing login history is a key practice in maintaining overall system security and preventing unauthorized access.

How to Check Login History Linux?

To check login history in Linux, open the Terminal and type last to see all user logins. For a specific user, type last username. To view the last 10 logins, use last -n 10. These commands provide a quick way to review login activities.

Here are three different methods to check Linux Login History:

1. Examining the Auth Log

The auth log is a valuable source of login-related information in Linux systems. By examining the auth log, you can access a comprehensive list of login events, including timestamps, usernames, IP addresses, and authentication methods. To access and analyze the auth log, follow these steps:

  1. Open the Terminal window. 
opening terminal 9
  1. Enter the following command to view the auth log: 
sudo tail -f /var/log/auth.log

The auth log will display the Linux last login history, including timestamps, usernames, IP addresses, and authentication methods.

    viewing auth.log history of the user

    2. Utilizing the Last Command

    The last command offers a straightforward way to retrieve Linux login history. Using the last command, you can view the login records for all users or retrieve the login history for a specific user. Follow these steps to use the last command to Linux show login history:

    1. Open the Terminal and type last to display the Linux login logs for all users.
    retrieving login history of all the users
    1. To retrieve the Linux login log for a specific user, use the command 
    last username
    1. The output will be:
    viewing login history of a specific user
    1. To see the Last 10 Logins, type the following command and press Enter:
    last -n 10

    This command displays the last 10 logins on the system.

    viewing last 10 logins

    3. Parsing the Wtmp File

    The wtmp file stores login records in Linux systems and can be parsed to access login history. Parsing the wtmp file lets you delve into historical login records and gain insights into user logins, session durations, and other relevant details. Here’s how you can parse the wtmp file to check login history Linux:

    1. Locate the wtmp file on your system. Usually, it is located in /var/log/wtmp.
    utmpdump /var/log/wtmp
    1. Various tools and techniques can help you parse the wtmp file and extract login-related information. Some commonly used tools include last, utmpdump, and fwtmp. In this case, I used the utmpdump tool.
    retrieving user history from wtmp file using utmpdump

    Advanced Methods to Check Login History in Linux

    1. Tracking Failed Login Attempts

    Tracking failed login attempts helps you detect potential security issues by identifying unsuccessful login tries. This is crucial for spotting unauthorized access attempts and strengthening system security.

    1. Open the Terminal.
    sudo lastb
    1. Enter your password if prompted to execute the command with superuser privileges.

    The output will show details of failed attempts, such as the username, IP address, and time of the attempt.

    viewing failed login history

    2. Analyzing Login Data by Time Periods

    Analyzing login data by time periods helps you identify trends and patterns in system access. This can reveal peak login times and detect unusual activity during off-hours.

    1. In your Terminal window use the last Command with the Date Range:
    last -s YYYY-MM-DD -t YYYY-MM-DD

    Replace YYYY-MM-DD with your desired start and end dates. The output will show login details within the specified date range.

    viewing login history by time period
    1. To narrow it down to a specific user, use:
    last -s YYYY-MM-DD -t YYYY-MM-DD username

    It will show the login logs of specific user of the specified time period.

    viewing specific history of a specific user

    3. Filtering Login Records by Terminal

    Filtering login records by terminal allows you to focus on specific sessions or locations. This is useful for investigating access points and monitoring remote logins.

    1. Access your command window.
    2. Use the last Command with Terminal:
    last | grep tty2

    Replace tty2 with the desired Terminal.

    filtering login history by terminal

    3 Best Practices to Check Linux User Login History

    Checking login history is essential for detecting unauthorized access attempts, identifying security breaches, and ensuring compliance. By following these best practices, you can enhance the security of your Linux system and effectively monitor login history. Here are three best practices for effectively checking login history in Linux systems.

    • 🛡️ Regularly Review and Analyze Login Records: To effectively monitor login history, reviewing and analyzing login records is important. By routinely examining the auth log, last command outputs, or parsed wtmp files, you can identify any suspicious login attempts, unusual patterns, or unauthorized access.
    • 🔒 Implement Secure Authentication Measures: Implementing secure authentication measures is crucial for preventing unauthorized access to your Linux system. Use strong passwords, enforce multi-factor authentication (MFA), and regularly update user credentials. By ensuring secure authentication practices, you reduce the risk of successful login attempts by unauthorized users and strengthen the overall security of your system.
    • 📅 Maintain Sufficient Log Retention Periods: Maintaining an adequate log retention period is vital for preserving historical login records. Configure your system to retain log files, such as the auth log and wtmp file, for a sufficient duration based on your organization’s requirements and compliance standards. Longer log retention periods enable you to perform effective forensic analysis, investigate security incidents, and comply with regulatory guidelines.

    Linux Check Login History: Final Thoughts

    I hope this article has provided valuable insights into the methods of checking log history in Linux systems, the benefits it offers, and the importance of following best practices.

    To enhance your Linux knowledge, explore these articles below:

    Frequently Asked Questions 

    How far back does the auth log retain login records?

    The auth log retains login records based on your system’s log rotation policy. Typically, it keeps logs until they are rotated, which might be weekly or monthly. You can check your log rotation settings in the /etc/logrotate.d directory to see how long your system retains these records.

    Are there any graphical tools available for login history analysis?

    Yes, several graphical tools are available for login history analysis. Tools like GNOME Logs provide a user-friendly interface to view and filter login records. Additionally, Logwatch can generate detailed reports that can be viewed graphically, making it easier to analyze and understand login activities.

    Can I differentiate between successful and failed login attempts?

    Yes, you can differentiate between successful and failed login attempts. Successful logins are typically logged in the auth.log file with entries showing a successful login message. Failed attempts are recorded in the same log with messages indicating failure. Commands like lastb specifically show failed login attempts.

    Is it possible to receive notifications for specific login events?

    Yes, it is possible to receive notifications for specific login events. You can set up tools like Logwatch or use custom scripts with cron jobs to monitor logs and send email alerts or notifications for certain login events, such as failed login attempts or logins from specific IP addresses.

    Ojash

    Author

    Ojash is a skilled Linux expert and tech writer with over a decade of experience. He has extensive knowledge of Linux's file system, command-line interface, and software installations. Ojash is also an expert in shell scripting and automation, with experience in Bash, Python, and Perl. He has published numerous articles on Linux in various online publications, making him a valuable resource for both seasoned Linux users and beginners. Ojash is also an active member of the Linux community and participates in Linux forums.

    Akshat

    Reviewer

    Akshat is a software engineer, product designer and the co-founder of Scrutify. He's an experienced Linux professional and the senior editor of this blog. He is also an open-source contributor to many projects on Github and has written several technical guides on Linux. Apart from that, he’s also actively sharing his ideas and tutorials on Medium and Attirer. As the editor of this blog, Akshat brings his wealth of knowledge and experience to provide readers with valuable insights and advice on a wide range of Linux-related topics.

    Share this article
    Shareable URL
    Prev Post

    How to Scroll in Tmux [3 Easy Ways]

    Next Post

    Mastering Vim Split Window: How to Split Vertically and Horizontally?

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Read next