Who, when, and from where? Good security practices say you should know who’s been accessing your Linux computer. We show you how.
The wtmp File
Linux and other Unix-like operating systems such as MacOS are very good at logging. Somewhere in the bowels of the system, there is a log for just about everything you can think of. The log file we’re interested in is called wtmp. The “w” might stand for “when” or “who”—no one seems to agree. The “tmp” part probably stands for “temporary,” but it might also stand for “timestamp.”
What we do know is that wtmp is a log that captures and records every login and logout event. Reviewing the data in the wtmp log is a basic step in taking a security-minded approach to your system admin duties. For a typical family computer, it might not be so critical from a security perspective, but it is interesting to be able to review your combined use of the computer.
Unlike many of the text-based log files in Linux, wtmp is a binary file. To access the data within it, we need to use a tool designed for that task.
That tool is the last command.
The last Command
The last command reads data from the wtmp log and displays it in a terminal window.
If you type last and press Enter it will display all of the records from the log file.
last
Each record from wtmp is displayed in the terminal window.
Read the remaining 62 paragraphs
Source : How to Use the last Command on Linux
