To see login history on a Linux system, you can use the “last” command.
last
On the screenshot above, it shows “admin.serverok.i” for some of the logins. This is because DNS resolve is enabled in SSH configuration, so IP get converted to hostname and it get truncated. To see the full hostname, run
last -a
If you don’t want IP converted to hostname, run
last -ai
To list only the last 10 logins, run
last -n 10
-n 10 limit result to last 10 logins.
Login history is stored in the file
/var/log/wtmp
This file can grow and get rotated over time. If the file gets rotated, when you use the “last” command, it won’t report login history from older files.
root@server12:/var/log# ls -l | grep wtmp
-rw-rw-r-- 1 root utmp 935K Aug 7 04:31 wtmp
-rw-rw-r-- 1 root utmp 1.1M Jun 3 2017 wtmp-20170603
root@server12:/var/log#
To see login history from an older file, you need to specify the location of the file using -f argument.
last -f /var/log/wtmp-20170603
You can also use the command
utmpdump /var/log/wtmp-20170603
To view the last 10 logins with full hostname from the old login file wtmp-20170603, use
last -n 10 -a -f /var/log/wtmp-20170603
The file name may differ in your server, check the /var/log folder for actual file names.
How to check old login history with last command