# How to check last login time for user # There are a number of ways to check last logged in users with time details. 1. `last` This command searches back through the file `/var/log/wtmp (or the file designated by the -f flag)` and displays a list of all users logged in/out since the file was created. *Example*__To view last login of all users:__ `$ last` `bob pts/7 server1.example Mon May 5 14:36 still logged in` `bob pts/5 server1.example Mon May 5 14:34 still logged in` `root pts/5 main.test Sun Apr 27 04:18 - 04:20 (00:02)` `john pts/11 server1.example Sat Apr 26 06:25 - 17:16 (10:51)` `john pts/10 server1.example Sat Apr 26 06:20 - 17:16 (10:56)` 2. *Example*__To view last login of specific user:__ `$ last bob` `bob pts/7 server1.example Mon May 5 14:36 still logged in` `bob pts/5 server1.example Mon May 5 14:34 still logged in` 3. *Example*__To view ip address details of the source machine:__ `$ last bob -i` `bob pts/7 192.168.0.100 Mon May 5 14:36 still logged in` `bob pts/5 192.168.0.100 Mon May 5 14:34 still logged in` 3. `lastlog` This formats and prints the contents of the last login log `/var/log/lastlog` file. *Example*__To view last login time of user bob:__ `$ lastlog -u bob` `Username Port From Latest` `dave pts/7 server1.example Mon May 5 14:36:52 -0400 2014` # Track successful/failed login attempts # 1. Login attempts are stored in `/var/log/secure` and this file can be checked. `# less /var/log/secure | grep bob` `May 18 14:56:17 lab1 unix_chkpwd[17490]: password check failed for user (bob)` `May 18 14:56:17 lab1 sshd[17489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=server1.example.com user=bob` `May 18 14:56:18 lab1 sshd[17481]: Accepted keyboard-interactive/pam for bob from 192.168.0.25 port 60735 ssh2` `May 18 14:56:18 lab1 sshd[17481]: pam_unix(sshd:session): session opened for user bob by (uid=0)` `May 18 16:50:04 lab1 unix_chkpwd[19626]: password check failed for user (bob)` `May 18 16:50:04 lab1 sudo: pam_unix(sudo:auth): authentication failure; logname=bob uid=0 euid=0 tty=/dev/pts/12 ruser= rhost= user=bob` `May 18 16:50:04 lab1 sudo: bob : TTY=pts/12 ; PWD=/home/bob ; USER=root ; COMMAND=/bin/su -` `May 18 16:50:04 lab1 su: pam_unix(su-l:session): session opened for user root by bob(uid=0)` 2. Collect authentication reports for all recent attempts made on the system. *Example*__Reports for all attempts:__ `# aureport -au -i` `Authentication Report` `============================================` `# date time acct host term exe success event` `============================================` `1. 05/16/14 10:12:54 bob ? /dev/pts/116 /usr/bin/sudo yes 6946469` `2. 05/16/14 12:09:19 jeff ? /dev/pts/117 /usr/bin/sudo yes 6947443` `3. 05/16/14 12:16:11 jeff ? /dev/pts/102 /usr/bin/sudo yes 6947512` `4. 05/16/14 13:00:10 bob ? /dev/pts/116 /usr/bin/sudo yes 6947866` *Example*__Reports for successful attempts:__ `# aureport -au -i --success` `Authentication Report` `============================================` `# date time acct host term exe success event` `============================================` `1. 05/16/14 10:12:54 bob ? /dev/pts/116 /usr/bin/sudo yes 6946469` `2. 05/16/14 12:09:19 jeff ? /dev/pts/117 /usr/bin/sudo yes 6947443` `3. 05/16/14 12:16:11 jeff ? /dev/pts/102 /usr/bin/sudo yes 6947512` `4. 05/16/14 13:00:10 bob ? /dev/pts/116 /usr/bin/sudo yes 6947866` *Example*__Reports for failed attempts:__ `# aureport -au -i --failed` `Authentication Report` `============================================` `# date time acct host term exe success event` `============================================` `1. 05/16/14 15:42:11 dave ? /dev/pts/124 /usr/bin/sudo no 6949322` `2. 05/17/14 12:02:53 andy 10.10.10.26 ssh /usr/sbin/sshd no 6959885` `3. 05/18/14 01:21:06 abhay ? /dev/pts/12 /usr/bin/sudo no 6967954` *Example*__Login Failures:__ `# aureport -l --failed` `Login Report` `============================================` `# date time auid host term exe success event` `============================================` `1. 05/16/14 21:50:22 pete 10.191.29.164 sshd /usr/sbin/sshd no 6952386` `2. 05/17/14 12:02:09 andy 10.10.10.26 sshd /usr/sbin/sshd no 6959875` `3. 05/17/14 12:02:48 andy 10.10.10.26 sshd /usr/sbin/sshd no 6959884` *Example*__Successful Logins:__ `# aureport -l --success` `Login Report` `============================================` `# date time auid host term exe success event` `============================================` `1. 05/16/14 21:50:22 42771 10.191.29.164 sshd /usr/sbin/sshd yes 6952386` `2. 05/17/14 12:02:09 34566 10.10.10.26 sshd /usr/sbin/sshd yes 6959875` `3. 05/17/14 12:02:48 34566 10.10.10.26 sshd /usr/sbin/sshd yes 6959884` *Example*__Login Summary Report:__ `# aureport -l --success --summary -i` `Success Login Summary Report` `============================================` `total auid` `============================================` `4 alison` `4 alex` `3 andy` `2 suzanne` `1 paul` `1 dave` `1 pete` `1 rashmi` ##Refs:## 1. https://www.golinuxhub.com/2014/05/how-to-check-last-login-time-for-users.html 2. https://www.golinuxhub.com/2014/05/how-to-track-all-successful-and-failed.html