Home Learn Linux A guide to tracking user login history in Linux

A guide to tracking user login history in Linux

We'll show you how to check user login history in Linux using various commands and tools. By the end of this guide, you'll be equipped to track user activity on your Linux system effectively. Ready to enhance your Linux system management skills?

by Arun Kumar
Published: Updated:
linux user auditing

Have you ever wondered who has logged into your Linux system and when? I have, quite a few times. Being a die-hard Linux fan and a bit of a security geek, I enjoy diving deep into the system logs to satisfy my curiosity. Today, I would like to share with you an aspect of Linux that has fascinated me over the years: user login history.

Understanding Linux login history

The user login history in Linux is a treasure trove of information that provides a detailed record of who logged into the system, when they logged in, from where they logged in, and much more. What’s not to love? Well, unless the logs get too big and take up too much of your precious disk space. But hey, that’s a story for another day.

A dive into the details: What information is saved in Linux login history?

Linux collects a significant amount of detailed data each time a user logs in or out. This makes it a veritable goldmine of information for system administrators and security experts alike.

Let’s take a look at a sample output from the ‘last’ command:

john pts/0 Thu Jul 13 20:42 still logged in

This single line of information is packed with valuable data. Here’s what each field means:

The first field, ‘john’ in our example, is the username. It’s the identifier of the user who logged into the system. Linux keeps track of every user who logs into the system, even root. This allows you to see who has accessed the system and when.

Next up is the ‘pts/0’ entry, representing the terminal from which the user accessed the system. ‘pts’ stands for pseudo-terminal slave. In simpler terms, it’s the terminal emulator window like the one you get when you open your terminal application.

Remote IP
The ‘’ part shows the remote IP address from which the user accessed your system. This is especially important when dealing with remote connections, as it allows you to see where the login attempts are coming from.

Time Stamp
The ‘Thu Jul 13 20:42’ section represents the date and time when the login occurred. This timestamp is crucial as it allows you to correlate system events with login times, aiding in debugging and system administration tasks.

Login Status
Finally, the ‘still logged in’ phrase denotes the current status of the session. If the user is still logged in, it would say ‘still logged in’. Otherwise, it would show the duration of the login session or when the session ended.

By examining the Linux login history, you get a comprehensive overview of user activity on your system. This not only helps you maintain your system but also plays a crucial role in identifying and mitigating potential security threats. Remember, knowledge of your system’s ins and outs is the first step in maintaining a secure and efficient Linux environment.

Tools to check user login history

When it comes to inspecting the login history, Linux, being the Swiss Army knife of operating systems, provides multiple tools. However, the two I like the most are last and lastb commands.

The ‘last’ command

This command is my go-to tool when I want to check the user login history. The last command reads the /var/log/wtmp file, which maintains a history of all login and logout activities.

Let’s say you want to see the login history of a user named ‘john’. Just open your terminal and type:

last john

You would see a list of entries showing each time ‘john’ has logged into the system, complete with the date, time, session duration, and terminal. Talk about thoroughness, right?

The ‘lastb’ command

While ‘last’ gives a good deal of information, ‘lastb’ ups the ante by showing all the failed login attempts. This is especially handy when you suspect unauthorized attempts to access your system. Simply type:


And lo and behold! You would get a detailed record of all failed login attempts. Quite an eye-opener, isn’t it?

A practical example

Let me share a practical example from my own experience. I once noticed unusual system behavior and suspected unauthorized access. So, I decided to look at the login history using the ‘last’ command:


The command output a long list of entries. However, a particular one caught my eye:

root pts/1 Thu Jul 13 15:15 still logged in

This was unusual because I had not logged in as the root user from that IP. Then, I used the ‘lastb’ command and found multiple failed attempts to log in as root just before the successful login. The jig was up! I had caught an intruder red-handed.

Common troubleshooting tips

While ‘last’ and ‘lastb’ are quite reliable, you might encounter a few issues while using them.

Truncated Output
If the ‘last’ command shows incomplete or truncated output, this could be because the /var/log/wtmp file has grown too large. You can solve this by periodically archiving and clearing this file using the following command:

cat /dev/null > /var/log/wtmp

But do remember, this would remove all login history information.

No Output for ‘lastb’
Sometimes, ‘lastb’ might not display any output, even when you know there have been failed login attempts. This could be because the /var/log/btmp file, which ‘lastb’ reads, does not exist. You can resolve this issue by creating the file:

touch /var/log/btmp

Pro Tips

Now, here are a couple of pro tips that can make your user login history inspection even more effective:

Limiting ‘last’ Output
If the ‘last’ command outputs too many entries, you can limit the number of entries by specifying a number after the command. For instance, if you want to see the last 10 entries, you would type:

last -10

Checking for Reboot Entries
You can also use ‘last’ to see when your system was rebooted. The following command would show all reboot entries:

last reboot

This can be particularly useful when troubleshooting system stability issues.

BONUS: Exporting Linux login history to a CSV file

Now that we have uncovered the ins and outs of checking user login history, it’s time for something even more interesting: exporting this data to a CSV (Comma-Separated Values) file. This might sound like a tall order, but trust me, with Linux, it’s as easy as pie.

Exporting your Linux login history to a CSV file can be beneficial in several ways. Perhaps you want to do some offline analysis, or maybe you are planning to import the data into a database or even a spreadsheet application for better visualization. Whatever your reason, once you master this, it’ll be a handy tool in your Linux toolbox.

The ‘last’ command, though mighty useful, does not natively support exporting data to a CSV file. But fear not, we can use the power of the Linux command line to achieve this. We will employ the ‘awk’ command, a powerful text processing tool that can manipulate and transform text data in really exciting ways.

Here is a simple command that would convert the output of ‘last’ into a CSV format:

last | awk '{ print $1 "," $2 "," $3 "," $4 "," $5 "," $6 "," $7 "," $8 "," $9 }' > login_history.csv

This command works as follows:

  • The ‘last’ command retrieves the login history.
  • The pipe operator (‘|’) passes the output of ‘last’ to the ‘awk’ command.
  • The ‘awk’ command uses its print function to output each field of the ‘last’ command, separated by commas.
  • The output is then redirected (‘>’) to a file named ‘login_history.csv’.

The result would be a CSV file with each login entry on a new line, and the details (username, terminal, remote IP, date, and time) separated by commas. Just what we wanted, isn’t it?

If you open the ‘login_history.csv’ file, it might look something like this:

john,pts/0,,Thu,Jul,13,20:42,still,logged in

It’s important to note that the ‘awk’ command is very flexible and can be adjusted to suit your needs. For instance, if you want to include the hostname in your CSV, you can add another field to the ‘awk’ command.

Exporting Linux login history to a CSV file is a powerful technique that allows you to further analyze and interpret login data. Once you’ve got a handle on this, you would find it an indispensable part of your Linux administration toolkit.


There you have it, my friends, a detailed tour through the corridors of Linux login history. Together, we’ve delved into the nooks and crannies of user login data, from understanding what exactly is stored when a user logs in, to checking the login history using the ‘last’ and ‘lastb’ commands.

We didn’t stop there, though. We took a practical example from my own experience and dove headfirst into troubleshooting common issues, followed by a few pro tips that could make your life as a Linux user or administrator much easier. To top it all off, we even explored the nitty-gritty of exporting the login history to a CSV file. This is an extremely handy technique to add to your repertoire, enabling more flexible data analysis and record keeping.

Through this exploration, we’ve seen that the Linux login history is more than just a list of who accessed your system and when. It’s a comprehensive record of system usage and a crucial tool for system administration and security.

You may also like

Leave a Comment



FOSS Linux is a leading resource for Linux enthusiasts and professionals alike. With a focus on providing the best Linux tutorials, open-source apps, news, and reviews written by team of expert authors. FOSS Linux is the go-to source for all things Linux.

Whether you’re a beginner or an experienced user, FOSS Linux has something for everyone.

Follow Us


©2016-2023 FOSS LINUX



“Linux” is the registered trademark by Linus Torvalds in the U.S. and other countries.