How to check user login history on CentOS (Redhat 7.8)

Worried about who is logged in? Yes, you can check the user’s login history on Linux. we can also check what they are doing on the car.

WHAT ARE TTY AND PTY?

• Tty is its own terminal device and it can be any server / system console).
• Pty is a terminal device that is emulated by another program like putty, etc.

How to check user login history on CentOS 7/8:

There are many ways to check a user’s login history. We’ll show you all these methods and more.

1. Checking user login history with last command: we can check the login history of the user who has logged into your server.

[[email protected] ~]# last -2
user1       pts/1    192.168.121.1   Sun  Jul  5  14:27   still logged in
root        pts/1    192.168.121.1   Sun  Jul  5  14:26 - 14:26 (00:00)

2. Check history for a specific period of time: if you need to find a specific period of time to check when a user entered that specific period of time.

We can check this using the last command in the following format. You can change these values ​​according to your needs.

last -F | grep -E 'Apr ([ 1-9]|1[0-9]|2[0-9]|30)' | grep 2020

Use the command below to find the login for a specific user.

[[email protected] ~]# last -F user1 | grep -E 'Jul ([ 1-9]|1[0-9]|2[0-9]|30)' | grep 2020
user1 pts/1 192.168.121.1 Sun Jul 5 14:27:12 2020 - Sun Jul 5 14:27:30 2020 (00:00)

3. Check Bad Login History: we can also check the user trying to access the server with the wrong password or forget it. it also keeps the entire history of it.

We can use the command below to check this with the lastb command.

[[email protected] ~]# lastb
user1      ssh:notty   192.168.121.1  Sun  Jul  5  14:46 - 14:46 (00:00)
user1      ssh:notty   192.168.121.1  Sun  Jul  5  14:46 - 14:46 (00:00)
root       ssh:notty   192.168.121.1  Thu  Jul  2  14:11 - 14:11 (00:00)

You can also use these commands to check with tail -f / var / log / btmp

CHECK LOGIN HISTORY WITH HOST NAME:

We can also check the hostname of the logged in user in the last column using the “-a” option with the last command, as shown below.

[[email protected] ~]# last -2 -a
user1    ssh:notty   Sun    Jul   5 14:50 - 14:50 (00:00)    192.168.121.1
user1    ssh:notty   Sun    Jul   5 14:46 - 14:46 (00:00)    192.168.121.1

Checking shutdown and runlevel: We can use the “-x” option to check shutdown and runlevel changes on your machine as shown below.

[[email protected] ~]# last -10 -x
root       pts/1        192.168.121.1    Sun Jul 5 14:26 - 14:26 (00:00)
root       pts/0        192.168.121.1    Sun Jul 5 14:15 still logged in
root       tty1                          Sun Jul 5 14:14 still logged in
runlevel   (to lvl 3)   4.18.0-147.8.1.e Sun Jul 5 14:14 still running
reboot     system boot  4.18.0-147.8.1.e Sun Jul 5 14:13 still running
shutdown   system down  4.18.0-147.8.1.e Fri Jul 3 13:41 - 14:13 (2+00:32)

We can also find these entries in the / var / log / secure and /var/log/auth.log files on the Linux server.

[[email protected] ~]# cat /var/log/secure | grep Accepted | awk '{print $1,$2,$3,$9}'
Jul 2 13:58:58  root
Jul 2 14:11:50  root
Jul 3 12:36:08  root
Jul 5 14:15:16  root
Jul 5 14:26:51  root
Jul 5 14:27:02  user1
Jul 5 14:45:28  user1

Use the command below to see failed attempts.

 cat /var/log/secure | grep failed | awk '{print $1,$2,$3,$11}'

Use “-R” to suppress the hostname field as shown below.

[[email protected] ~]# last -10 -R
user1       pts/1       Sun   Jul 5 14:45 - 14:46   (00:01)
user1       pts/1       Sun   Jul 5 14:27 - 14:27   (00:00)
root        pts/1       Sun   Jul 5 14:26 - 14:26   (00:00)
root        pts/0       Sun   Jul 5 14:15   still   logged in
root        tty1        Sun   Jul 5 14:14   still   logged in
reboot      system boot Sun   Jul 5 14:13   still   running

The lastlog command is very useful when you want to see who has not logged in for more than 30-60 days and will also show you the last logon history of all users.

[[email protected] ~]# lastlog
Username    Port      From               Latest
root        pts/1     192.168.121.1      Sun Jul 5 14:26:53 -0400 2020
bin                                      **Never logged in**
daemon                                   **Never logged in**
adm                                      **Never logged in**
lp                                       **Never logged in**
sync                                     **Never logged in**
shutdown                                 **Never logged in**
halt                                     **Never logged in**
mail                                     **Never logged in**
operator                                 **Never logged in**
games                                    **Never logged in**
ftp                                      **Never logged in**
nobody                                   **Never logged in**

Use the “last pst / 2” command to check the Linux terminal connected to the machine.

Verify login based on username: use the “last ” command to verify it.

[[email protected] ~]# last user1
user1   pts/1    192.168.121.1   Sun   Jul 5 14:45 - 14:46  (00:01)
user1   pts/1    192.168.121.1   Sun   Jul 5 14:27 - 14:27  (00:00)

That’s all.