Question

26

How to read older login info using the "last" command?

rated 0 times [ 26] [ 0] / answers: 1 / hits: 34371 / 1 Year ago, sat, april 15, 2023, 2:11:04

The last command may show too few lines of user login info, truncated by when the “wtmp begins”.

If I want to get as much as possible last info (e.g., to see if my system was accessed from any unknown/suspicious IP using my username), how can I output the older “last” info?

If I use last -2000, intending to see 2000 lines of output, but the command may only return just a few lines, anything that happened before the “wtmp begins” would be truncated.)

Just wondering somehow if it is possible to output as many lines of login info as possible.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

peratingcit

Add To Favorites

Follow

Total Points: 253

Total Questions: 122

Total Answers: 94

Location: Botswana

Member since Sat, Jan 7, 2023

1 Year ago

answered 1 Year ago otputler · Accepted Answer

The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.

But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].

So If you need to look deeper in the login history, try to open one of those files:

last -2000 -f /var/log/wtmp.1 | less