Who, when, and from where? Good security practices say you should know who’s been accessing your Linux computer. We show you how.
The wtmp File
Linux and other Unix-like operating systems such as MacOS are very good at logging. Somewhere in the bowels of the system, there is a log for just about everything you can think of. The log file we’re interested in is called wtmp
. The “w” might stand for “when” or “who”—no one seems to agree. The “tmp” part probably stands for “temporary,” but it might also stand for “timestamp.”
What we do know is that wtmp
is a log that captures and records every login and logout event. Reviewing the data in the wtmp
log is a basic step in taking a security-minded approach to your system admin duties. For a typical family computer, it might not be so critical from a security perspective, but it is interesting to be able to review your combined use of the computer.
Unlike many of the text-based log files in Linux, wtmp
is a binary file. To access the data within it, we need to use a tool designed for that task.
That tool is the last
command.
The last Command
The last
command reads data from the wtmp
log and displays it in a terminal window.
If you type last
and press Enter it will display all of the records from the log file.
last
Each record from wtmp
is displayed in the terminal window.
Read the remaining 62 paragraphs
Source : How to Use the last Command on Linux