Linux User Access and User Access Log
From w3cyberlearnings
Who is currently access your linux box?
- There are many reasons that you want to find out who currently login into your system.
Find out who currently login or access your system: who?
- who command will list users who are currently login into your system.
root@ubuntu:~# who sophal tty7 2012-03-30 12:32 (:0) sophal pts/0 2012-03-30 13:21 (:0.0) sophal pts/1 2012-03-30 14:38 (:0.0) sophal pts/2 2012-04-09 16:22 (:0.0)
Find out or view user's last login and activity in the system: last?
- This command without any option
root@ubuntu:~# last sophal pts/2 :0.0 Mon Apr 9 16:22 still logged in sophal pts/1 :0.0 Fri Mar 30 14:38 still logged in sophal pts/0 :0.0 Fri Mar 30 13:21 still logged in sophal tty7 :0 Fri Mar 30 12:32 still logged in reboot system boot 2.6.38-13-generi Fri Mar 30 06:31 - 12:05 (11+04:34) sophal pts/2 :0.0 Fri Mar 30 07:16 - crash (00:-45) sophal pts/1 :0.0 Fri Mar 23 09:47 - crash (6+20:43) sophal pts/0 :0.0 Fri Mar 23 07:22 - crash (6+23:08) sophal tty7 :0 Thu Mar 22 14:45 - crash (7+15:45) reboot system boot 2.6.38-13-generi Thu Mar 22 08:45 - 12:05 (19+02:20) sophal pts/3 :0.0 Tue Mar 20 07:25 - down (2+07:10) sophal pts/2 :0.0 Mon Mar 19 10:38 - down (3+03:57) sophal pts/1 :0.0 Wed Mar 7 16:08 - down (14+22:26) sophal pts/0 :0.0 Wed Mar 7 15:59 - down (14+22:36) sophal tty7 :0 Wed Mar 7 15:57 - down (14+22:37) reboot system boot 2.6.38-13-generi Wed Mar 7 09:49 - 14:35 (15+04:46) sophal pts/1 :0.0 Mon Mar 5 17:11 - crash (1+16:38) sophal pts/0 :0.0 Mon Mar 5 15:46 - crash (1+18:02) sophal tty7 :0 Mon Mar 5 14:54 - crash (1+18:55) reboot system boot 2.6.38-13-generi Tue Feb 21 08:23 - 14:35 (30+06:11) sophal pts/2 :0.0 Mon Mar 5 14:02 - down (00:09) sophal pts/1 :0.0 Thu Mar 1 11:24 - 14:12 (4+02:47)
last command with option
root@ubuntu:~# last pts/2 sophal pts/2 :0.0 Mon Apr 9 16:22 still logged in sophal pts/2 :0.0 Fri Mar 30 07:16 - crash (00:-45) sophal pts/2 :0.0 Mon Mar 19 10:38 - down (3+03:57) sophal pts/2 :0.0 Mon Mar 5 14:02 - down (00:09) wtmp begins Thu Mar 1 11:24:41 2012
check what user has do recently
root@ubuntu:~# last sophal sophal pts/2 :0.0 Mon Apr 9 16:22 still logged in sophal pts/1 :0.0 Fri Mar 30 14:38 still logged in sophal pts/0 :0.0 Fri Mar 30 13:21 still logged in sophal tty7 :0 Fri Mar 30 12:32 still logged in sophal pts/2 :0.0 Fri Mar 30 07:16 - crash (00:-45) sophal pts/1 :0.0 Fri Mar 23 09:47 - crash (6+20:43) sophal pts/0 :0.0 Fri Mar 23 07:22 - crash (6+23:08) sophal tty7 :0 Thu Mar 22 14:45 - crash (7+15:45) sophal pts/3 :0.0 Tue Mar 20 07:25 - down (2+07:10) sophal pts/2 :0.0 Mon Mar 19 10:38 - down (3+03:57) sophal pts/1 :0.0 Wed Mar 7 16:08 - down (14+22:26) sophal pts/0 :0.0 Wed Mar 7 15:59 - down (14+22:36) sophal tty7 :0 Wed Mar 7 15:57 - down (14+22:37) sophal pts/1 :0.0 Mon Mar 5 17:11 - crash (1+16:38) sophal pts/0 :0.0 Mon Mar 5 15:46 - crash (1+18:02) sophal tty7 :0 Mon Mar 5 14:54 - crash (1+18:55) sophal pts/2 :0.0 Mon Mar 5 14:02 - down (00:09) sophal pts/1 :0.0 Thu Mar 1 11:24 - 14:12 (4+02:47) wtmp begins Thu Mar 1 11:24:41 2012
How to find out the log file that user have access or any attempt into your system
Ubuntu System
- For older log, you need to check auth.log.1 etc..
root@htvlc:/# cat /var/log/auth.log
Cent OS system
- For older log, you need to check secure.1 etc...
root@htvlc:/# cat /var/log/secure
