How to view login history on Linux Server

To see login history on a Linux system, you can use the “last” command.

last

Linux Last Command

On the screenshot above, it shows “admin.serverok.i” for some of the logins. This is because DNS resolve is enabled in SSH configuration, so IP get converted to hostname and it get truncated. To see the full hostname, run

last -a

If you don’t want IP converted to hostname, run

last -ai

To list only the last 10 logins, run

last -n 10

last command

-n 10 limit result to last 10 logins.

Login history is stored in the file 

/var/log/wtmp

This file can grow and get rotated over time. If the file gets rotated, when you use the “last” command, it won’t report login history from older files.

root@server12:/var/log# ls -l | grep wtmp
-rw-rw-r-- 1 root  utmp   935K Aug  7 04:31 wtmp
-rw-rw-r-- 1 root  utmp   1.1M Jun  3  2017 wtmp-20170603
root@server12:/var/log#

To see login history from an older file, you need to specify the location of the file using -f argument.

last -f /var/log/wtmp-20170603

You can also use the command

utmpdump /var/log/wtmp-20170603

To view the last 10 logins with full hostname from the old login file wtmp-20170603, use

last -n 10 -a -f /var/log/wtmp-20170603

The file name may differ in your server, check the /var/log folder for actual file names.

How to check old login history with last command

Need help with Linux Server or WordPress? We can help!
Contact Us

Leave a Reply

Your email address will not be published. Required fields are marked *