Users Logged In Today: System Login Tracking and User Activity Monitoring
Learn how to track user login activity using the last command and system logs. Master user activity monitoring and security auditing techniques.
Users Logged In Today: System Login Tracking and User Activity Monitoring
User login tracking is essential for system security, compliance, and administrative oversight. Understanding who has accessed your system and when helps detect unauthorized access, monitor user activity, and maintain audit trails. The last command provides a powerful way to examine login history, but extracting meaningful information requires combining it with text processing tools.
Understanding Login Tracking
Why Login Tracking is Important
User login monitoring serves multiple purposes:
- Security auditing - Detect unauthorized access attempts
- Compliance requirements - Meet regulatory audit requirements
- User activity monitoring - Track when users access the system
- Incident investigation - Investigate security incidents
- Resource planning - Understand system usage patterns
Login Data Sources
Linux systems store login information in several locations:
/var/log/wtmp- Historical login records (used bylast)/var/log/utmp- Current login sessions (used bywho)/var/log/auth.log- Authentication events (used byjournalctl)/var/log/secure- Security-related events (RHEL/CentOS)
Basic Login Tracking
Simple Today's Login List
# List users who logged in today
last | grep "$(date '+%a %b %e')" | awk '{print $1}' | sort | uniq
Command Breakdown
last- Displays recent login history from/var/log/wtmpdate '+%a %b %e'- Outputs today's date in the format used bylast(e.g.,Thu Jun 13)%a= abbreviated weekday%b= abbreviated month%e= day of month (with space-padding)
grep "$(date ...)"- Filters only login entries for todayawk '{print $1}'- Extracts the usernames from the matched linessort | uniq- Removes duplicates to show unique users
Example Output
$ last | grep "$(date '+%a %b %e')" | awk '{print $1}' | sort | uniq
ubuntu
admin
deploy
These are users who successfully logged in on the current date.
Advanced Login Tracking
Detailed Login Information
# Show login times and methods
last | grep "$(date '+%a %b %e')" | awk '{print $1, $3, $4, $5, $6, $7}' | sort | uniq
# Example output:
# admin 10:30 192.168.1.100
# john 09:15 192.168.1.101
# root 08:00 192.168.1.102
Login Count by User
# Count logins per user today
last | grep "$(date '+%a %b %e')" | awk '{print $1}' | sort | uniq -c | sort -nr
# Example output:
# 3 admin
# 2 john
# 1 root
# 1 user1
Alternative Login Tracking Methods
Using journalctl (systemd systems)
# Show today's logins using journalctl
journalctl --since today | grep "session opened"
# Show failed login attempts
journalctl --since today | grep "Failed password"
# Show successful logins
journalctl --since today | grep "session opened for user"
Using who and w commands
# Show currently logged in users
who
# Show detailed information about current users
w
# Show last login time for all users
lastlog
Using lastb for failed logins
# Show failed login attempts today
lastb | grep "$(date '+%a %b %e')"
# Count failed login attempts
lastb | grep "$(date '+%a %b %e')" | wc -l
Security Considerations
Monitoring Failed Logins
# Check for brute force attempts
lastb | grep "$(date '+%a %b %e')" | awk '{print $3}' | sort | uniq -c | sort -nr
# Check for failed root logins
lastb | grep "$(date '+%a %b %e')" | grep "root" | wc -l
# Check for failed logins from specific IPs
lastb | grep "$(date '+%a %b %e')" | awk '{print $3}' | sort | uniq -c | sort -nr | head -10
Best Practices
1. Regular Monitoring
# Set up automated monitoring
*/30 * * * * /usr/local/bin/login_tracker.sh --monitor
2. Log Rotation
# Ensure wtmp is rotated regularly
sudo logrotate -f /etc/logrotate.conf
3. Backup Login Data
# Backup wtmp file
sudo cp /var/log/wtmp /var/log/wtmp.backup.$(date +%Y%m%d)
4. Access Control
# Restrict access to login data
sudo chmod 640 /var/log/wtmp
sudo chown root:utmp /var/log/wtmp
Common Issues and Solutions
1. wtmp File Not Found
Problem: /var/log/wtmp doesn't exist
Solution: Check if system uses journalctl or different log location
# Check for alternative log locations
ls -la /var/log/ | grep -E "(wtmp|utmp|auth)"
# Use journalctl instead
journalctl --since today | grep "session opened"
2. Permission Denied
Problem: Cannot read wtmp file Solution: Run with appropriate permissions
# Run with sudo
sudo last | grep "$(date '+%a %b %e')"
# Or add user to utmp group
sudo usermod -a -G utmp username
3. Date Format Issues
Problem: Date format doesn't match Solution: Check system date format
# Check current date format
date '+%a %b %e'
# Adjust format if needed
last | grep "$(date '+%m/%d')" # For MM/DD format
Conclusion
User login tracking is essential for system security and administration. The last command provides powerful capabilities for examining login history, but extracting meaningful information requires combining it with text processing tools.
Key takeaways:
- Use
lastwith date filtering - Focus on specific time periods - Combine with text processing - Use
grep,awk,sort, anduniqfor analysis - Monitor for suspicious activity - Track failed logins and unusual patterns
- Automate monitoring - Set up regular checks and alerts
- Maintain audit trails - Keep records of login activity for compliance