This document provides instructions on using the "last" and "lastb" commands to audit login, reboot, and shutdown actions on a Linux server. It describes how to use last to view successful login information and shutdown/reboot details from the /var/log/wtmp file. It also explains that lastb displays failed login attempts from /var/log/btmp and has the same parameters as last.
How To Audit Server Login and Shutdown or Reboot Activity
1. How To Audit Server – Login and Shutdown / Reboot
i | P a g e
Table of Contents
Overview.......................................................................................................................................................1
Applies To......................................................................................................................................................1
Last................................................................................................................................................................1
Last – Successful Login Info.......................................................................................................................1
Last – Display Lines ...................................................................................................................................2
Last – Full Display Lines.............................................................................................................................2
Last – RunLevel .........................................................................................................................................3
Last – Shutdown’s Information.................................................................................................................4
Last – Shutdown Information ...................................................................................................................4
Last – Reboot’s Information......................................................................................................................5
Last – Reboot Information........................................................................................................................5
Lastb..............................................................................................................................................................6
Lastb – Unsuccessful Login Info ................................................................................................................6
2. How To Audit Server – Login and Shutdown / Reboot
1 | P a g e
Overview
The purpose of this guide is to audit last login, reboot, shutdown actions and bad login attempts
information. Also, this command will help us in understanding how long the user has been hooked on the
server.
Applies To
Linux flavor operating systems.
Last
Last command list all the users who have logged in, information is retrieved from the file
“/var/log/wtmp”.
Last – Successful Login Info
List all the successful logins and also active login sessions on the server. Run the below command.
last
3. How To Audit Server – Login and Shutdown / Reboot
2 | P a g e
Last – Display Lines
To list 5 lines run the below command. Display list from “wtmp” file .
last -n 5
Last – Full Display Lines
To list full information and 5 lines run the below command. Display list from “wtmp” file. Print full login
and logout times and dates.
last -F -n 5
4. How To Audit Server – Login and Shutdown / Reboot
3 | P a g e
Last – RunLevel
List number of lines from the log “wtmp”. To list full information and 5 lines run the below command.
Print full login and logout times and dates.
last -x
5. How To Audit Server – Login and Shutdown / Reboot
4 | P a g e
Last – Shutdown’s Information
List shutdown actions performed by users. Run the below command. Display from the log “wtmp”.
last -x | grep shutdown
Last – Shutdown Information
List shutdown action performed. Run the below command. Display from the log “wtmp”.
last -x| grep shutdown | head -1
last -x | grep shutdown | head -1 | awk '{print $5,$6,$7,$8}'
6. How To Audit Server – Login and Shutdown / Reboot
5 | P a g e
Last – Reboot’s Information
To know the reboot actions performed by users. Run the below command.
last reboot
Last – Reboot Information
List last reboot action performed. Run the below command. Display from the log “wtmp”.
last reboot -F | head -1
last reboot -F | head -1 | awk '{print $5,$6,$7,$8,$9}'
7. How To Audit Server – Login and Shutdown / Reboot
6 | P a g e
Lastb
Lastb command list all the users who failed / bad logins into the system, information is retrieved from the
file “/var/log/btmp”.
Note: lastb is similar to last, though last be lists bad login information. All the parameters that are
applicable to “last” command is applicable to “lastb” as well.
Lastb – Unsuccessful Login Info
list all the failed logins for the server. Display information from the file “/var/log/btmp”.
lastb