How To Check User Login History On CentOS / Redhat 7/8

Worried about who logged into the system? Yes, you can check user login history in the Linux machine. we can also check what they’re doing on the machine.

What’s tty and pty?

  • A tty is a native terminal device & it could be any server/system console).
  • A pty is a terminal device that is emulated by another program such as putty etc.

Check Out: Check Hardware Information, Block Devices, and FileSystems On Linux

How To Check User Login History On CentOS 7/8:

There’re many ways of checking the user login history. I will show you here all those ways and much more. 

  1. Check User Login History Using the Last Command: we can check the login history of the user who logged into your server. 
[root@openvas ~]# last -2
user1       pts/1    192.168.185.1   Sun  Jul  5  14:27   still logged in
root        pts/1    192.168.185.1   Sun  Jul  5  14:26 - 14:26 (00:00)

2. Check History For Particular Time Period: if you need to find a particular time period to check when the user was logged in that particular Time period.

Check Out: How To Fix the Upload Max File Size Issue In PHP On WordPress

We can check that using the last command with the below format. you can change those values according to your needs. 

last -F | grep -E 'Apr ([ 1-9]|1[0-9]|2[0-9]|30)' | grep 2020

Use the below command to find the login for a particular user.

[root@openvas ~]# last -F user1 | grep -E 'Jul ([ 1-9]|1[0-9]|2[0-9]|30)' | grep 2020
user1 pts/1 192.168.185.1 Sun Jul 5 14:27:12 2020 - Sun Jul 5 14:27:30 2020 (00:00)

3. Check Bad Login History: we can also check the user trying to access the server with the wrong password or forget it. it also stores all the history about it.

We can use the below command to check it with lastb command. 

[root@openvas ~]# lastb
user1      ssh:notty   192.168.185.1  Sun  Jul  5  14:46 - 14:46 (00:00)
user1      ssh:notty   192.168.185.1  Sun  Jul  5  14:46 - 14:46 (00:00)
root       ssh:notty   192.168.185.1  Thu  Jul  2  14:11 - 14:11 (00:00)

Check Out: Install Tomcat 10 Server Using Source Code On Linux

You can also use these command to check it with tail -f /var/log/btmp

Check Login History With Hostname: 

We can also check the hostname of the logged-in user in the last column using the “-a” option with last command as shown below.

[root@openvas ~]# last -2 -a
user1    ssh:notty   Sun    Jul   5 14:50 - 14:50 (00:00)    192.168.185.1
user1    ssh:notty   Sun    Jul   5 14:46 - 14:46 (00:00)    192.168.185.1

Check Shutdown and Runlevel: We can use the “-x” option to check the shutdown and run level changes on your machine as shown below output. 

[root@openvas ~]# last -10 -x
root       pts/1        192.168.185.1    Sun Jul 5 14:26 - 14:26 (00:00)
root       pts/0        192.168.185.1    Sun Jul 5 14:15 still logged in
root       tty1                          Sun Jul 5 14:14 still logged in
runlevel   (to lvl 3)   4.18.0-147.8.1.e Sun Jul 5 14:14 still running
reboot     system boot  4.18.0-147.8.1.e Sun Jul 5 14:13 still running
shutdown   system down  4.18.0-147.8.1.e Fri Jul 3 13:41 - 14:13 (2+00:32)

We can also find these entries in /var/log/secure and /var/log/auth.log files on the Linux server. 

[root@openvas ~]# cat /var/log/secure | grep Accepted | awk '{print $1,$2,$3,$9}'
Jul 2 13:58:58  root
Jul 2 14:11:50  root
Jul 3 12:36:08  root
Jul 5 14:15:16  root
Jul 5 14:26:51  root
Jul 5 14:27:02  user1
Jul 5 14:45:28  user1

Use the below command to see failed attempts.

 cat /var/log/secure | grep failed | awk '{print $1,$2,$3,$11}'

Use “-R” to suppress the hostname field as shown below. 

[root@openvas ~]# last -10 -R
user1       pts/1       Sun   Jul 5 14:45 - 14:46   (00:01)
user1       pts/1       Sun   Jul 5 14:27 - 14:27   (00:00)
root        pts/1       Sun   Jul 5 14:26 - 14:26   (00:00)
root        pts/0       Sun   Jul 5 14:15   still   logged in
root        tty1        Sun   Jul 5 14:14   still   logged in
reboot      system boot Sun   Jul 5 14:13   still   running

Check Out: How To Install Check My Links Extension On Google Chrome

lastlog command is very useful when you want to see who’s not logged into the system more than 30 to 60 days and also shows you the latest login history of all users. 

[root@openvas ~]# lastlog
Username    Port      From               Latest
root        pts/1     192.168.185.1      Sun Jul 5 14:26:53 -0400 2020
bin                                      **Never logged in**
daemon                                   **Never logged in**
adm                                      **Never logged in**
lp                                       **Never logged in**
sync                                     **Never logged in**
shutdown                                 **Never logged in**
halt                                     **Never logged in**
mail                                     **Never logged in**
operator                                 **Never logged in**
games                                    **Never logged in**
ftp                                      **Never logged in**
nobody                                   **Never logged in**

Use the “last pst/2” command to check the Linux terminal connected to the machine.

Check login based on username: use the “last <username>” command to check it. 

[root@openvas ~]# last user1
user1   pts/1    192.168.185.1   Sun   Jul 5 14:45 - 14:46  (00:01)
user1   pts/1    192.168.185.1   Sun   Jul 5 14:27 - 14:27  (00:00)

That’s it. linux check login history

Share on:

I'm the founder of Curious Viral. I hope this blog will provide you complete information about Linux Technology & I would like to share my technical knowledge with you which I have learned during this period.

Other Posts You May Like...

Leave a comment