Find out the user's login history to the server

Latest response

How to find the user's login history to the server for a specific period of time by using "last" command.

Example:
command for the below ???!!!

How to find the "userA" login history to the server from 21-June-2018 to 24-July-2018

Responses

Hi

You can use the below command to search for login history

utmpdump /var/log/wtmp* | awk '$4~"userA" {print}'

Regards Sadiq

Hi,

this is to find out the login history right.

i would like to find the history from "20th june 2018 to 24th july 2018"

how to include this time period in the command

Hi

In that case you need to first redirect the output to some text file and then run the awk on the log file .

utmpdump /var/log/wtmp* | awk '$4~"userA" {print}' > /var/tmp/userAtime

awk '$8>"[28/Jun/2018:16:10" && $8<"[24/Jul/2018:16:10"' /var/tmp/userAtime

Thanks Sadiq

User login attempts also get recorded in '/var/log/secure' file which you may have to grep and use combination of awk/sed to get desired results. #grep login /var/log/secure|grep root|grep "session opened" .... which would list out all successful root user logins to the system. I hope this may help you. Like-wise logouts would be recorded as 'session closed' in /var/log/secure file which also records failed attempts.

The "last" command is another way to get this information, and you can use the "--since" and "--until" options to narrow the search:

[rgreene@rnd2 tmp]$ last --since 2018-06-01 08:00 --until 2018-06-15 17:00 rgreene rgreene pts/0 192.168.100.6 Tue Jun 12 06:48 - 22:38 (15:49) rgreene pts/0 198.153.241.140 Wed Jun 6 06:57 - 15:48 (08:51) rgreene pts/0 198.153.241.140 Mon Jun 4 15:08 - 15:09 (00:00)

wtmp begins Mon Dec 11 09:04:32 2017

Hi Rick,

[raj@test ~]$ last --since 2018-07-24 08:00 --until 2018-07-25 12:21

last: invalid option -- '-' Usage: last [-num | -n num] [-f file] [-t YYYYMMDDHHMMSS] [-R] [-adioxFw] [username..] [tty..]

I am getting this error

There is no such option of using '--since' and '--until' along with last command. Please check the man page of last command. Not sure how did Rick get to execute the last command with such options.

Rick, add three tildes in a row above/below code which will help format code without it being wrapped into one line.

"~~~"

your code goes here.

"~~~"

(remove the quotes of course)

Some times I run this to cut out obvious distractors with the last command:

last | egrep -v 'oot|nameofscanaccountthatspamslogins|thatadminwhologsinalot'

The egrep -v will drop the things unneeded (separate terms with a "|" character, also the "oot" in the egrep -v is either "root or boot" which populates "last" results)