How to check user login history on CentOS (Redhat 7.8)
Worried about who is logged in? Yes, you can check the user’s login history on Linux. we can also check what they are doing on the car.
WHAT ARE TTY AND PTY?
- Tty is its own terminal device and it can be any server / system console).
- Pty is a terminal device that is emulated by another program like putty, etc.
How to check user login history on CentOS 7/8:
There are many ways to check a user’s login history. We’ll show you all these methods and more.
- Checking user login history with last command: we can check the login history of the user who has logged into your server.
[[email protected] ~]# last -2 user1 pts/1 192.168.121.1 Sun Jul 5 14:27 still logged in root pts/1 192.168.121.1 Sun Jul 5 14:26 - 14:26 (00:00)
2. Check history for a specific period of time: if you need to find a specific period of time to check when a user entered that specific period of time.
We can check this using the last command in the following format. You can change these values according to your needs.
last -F | grep -E 'Apr ([ 1-9]|1[0-9]|2[0-9]|30)' | grep 2020
Use the command below to find the login for a specific user.
[[email protected] ~]# last -F user1 | grep -E 'Jul ([ 1-9]|1[0-9]|2[0-9]|30)' | grep 2020 user1 pts/1 192.168.121.1 Sun Jul 5 14:27:12 2020 - Sun Jul 5 14:27:30 2020 (00:00)
3. Check Bad Login History: we can also check the user trying to access the server with the wrong password or forget it. it also keeps the entire history of it.
We can use the command below to check this with the lastb command.
[[email protected] ~]# lastb user1 ssh:notty 192.168.121.1 Sun Jul 5 14:46 - 14:46 (00:00) user1 ssh:notty 192.168.121.1 Sun Jul 5 14:46 - 14:46 (00:00) root ssh:notty 192.168.121.1 Thu Jul 2 14:11 - 14:11 (00:00)
You can also use these commands to check with tail -f / var / log / btmp
CHECK LOGIN HISTORY WITH HOST NAME:
We can also check the hostname of the logged in user in the last column using the “-a” option with the last command, as shown below.
[[email protected] ~]# last -2 -a user1 ssh:notty Sun Jul 5 14:50 - 14:50 (00:00) 192.168.121.1 user1 ssh:notty Sun Jul 5 14:46 - 14:46 (00:00) 192.168.121.1
Checking shutdown and runlevel: We can use the “-x” option to check shutdown and runlevel changes on your machine as shown below.
[[email protected] ~]# last -10 -x root pts/1 192.168.121.1 Sun Jul 5 14:26 - 14:26 (00:00) root pts/0 192.168.121.1 Sun Jul 5 14:15 still logged in root tty1 Sun Jul 5 14:14 still logged in runlevel (to lvl 3) 4.18.0-147.8.1.e Sun Jul 5 14:14 still running reboot system boot 4.18.0-147.8.1.e Sun Jul 5 14:13 still running shutdown system down 4.18.0-147.8.1.e Fri Jul 3 13:41 - 14:13 (2+00:32)
We can also find these entries in the / var / log / secure and /var/log/auth.log files on the Linux server.
[[email protected] ~]# cat /var/log/secure | grep Accepted | awk '{print $1,$2,$3,$9}' Jul 2 13:58:58 root Jul 2 14:11:50 root Jul 3 12:36:08 root Jul 5 14:15:16 root Jul 5 14:26:51 root Jul 5 14:27:02 user1 Jul 5 14:45:28 user1
Use the command below to see failed attempts.
cat /var/log/secure | grep failed | awk '{print $1,$2,$3,$11}'
Use “-R” to suppress the hostname field as shown below.
[[email protected] ~]# last -10 -R user1 pts/1 Sun Jul 5 14:45 - 14:46 (00:01) user1 pts/1 Sun Jul 5 14:27 - 14:27 (00:00) root pts/1 Sun Jul 5 14:26 - 14:26 (00:00) root pts/0 Sun Jul 5 14:15 still logged in root tty1 Sun Jul 5 14:14 still logged in reboot system boot Sun Jul 5 14:13 still running
The lastlog command is very useful when you want to see who has not logged in for more than 30-60 days and will also show you the last logon history of all users.
[[email protected] ~]# lastlog Username Port From Latest root pts/1 192.168.121.1 Sun Jul 5 14:26:53 -0400 2020 bin **Never logged in** daemon **Never logged in** adm **Never logged in** lp **Never logged in** sync **Never logged in** shutdown **Never logged in** halt **Never logged in** mail **Never logged in** operator **Never logged in** games **Never logged in** ftp **Never logged in** nobody **Never logged in**
Use the “last pst / 2” command to check the Linux terminal connected to the machine.
Verify login based on username: use the “last
[[email protected] ~]# last user1 user1 pts/1 192.168.121.1 Sun Jul 5 14:45 - 14:46 (00:01) user1 pts/1 192.168.121.1 Sun Jul 5 14:27 - 14:27 (00:00)
That’s all.