RHEL User Login History

Latest response

Hi,

We are using RHEL 6.5 and we have created more then 20 user account in that server, now i want to find out which user are not login the server more then 30 to 60 days, in this case any command or script to find out login history ?

Responses

A quick script like:

for USER in `getent passwd | awk -F ":" '{print $1}'`
do
   last -1 $USER | sed -e '/wtmp/d' -e '/^$/d'
   done

Will do it. There's also some legacy commands that will give similar results.

Note 1: this will only gather interactive logins.
Note 2: this will only work since the last time the wtmp logs were updated.

'lastlog' should be able to provide what you need.

lastlog -b 30

And, like /var/log/wtmp with the last command, is only as correct as your /var/log/lastlog file. If someone truncated, nulled or corrupted your lastlog file within the past -b days, your output will be inaccurate.

The same essential argument can be used for any command.. if the input is corrupted the output is potentially inaccurate.

True, but an answer without appropriate caveats - especially when cleaning up /var/log isn't a terribly uncommon thing to do - is only a partial-answer.

There is probably be an argument to be made that /var/log is a poor choice of location for both wtmp and lastlog based on the FHS descriptions of /var directories... but it explicitly states that these files (or symlinks) must exist in /var/log.

I personally think /var/lib is possibly a better location for both files given their nature.

Or that this far in the evolution of NX systems, that there aren't better methods for maintaining compact, audit-related files that are rotation-friendly.

Hi guys,

In my case i have integrate Linux Server with AD, so domain users only login to the system.

using "lastlog" command and mentoned script, i have only notice local user login history.

Is there any we way to find the domain user login history.

You'd need to let us know what method you're using for AD integration. Most of the integration tools I've used, wtmp gets updated regardless of authentication-source. You can also get login information from Active Directory (assuming access and ability to run some PowerShell scripts)

Hi Tom,

we have use "samba-winbind" for AD integration with linux systems, for authentication we use pam method.

Hi Team please help check last lgon AD users