Friday, March 17, 2017

Oracle Linux - short tip #5 - check last logins

Need to quickly check how logged into a specific Oracle Linux machine and from where the logged into the system. You can use the last command to make that visible. In effect last will read the file /var/log/wtmp and display it in a human readable manner. If you would do a cat on /var/log/wtmp you might notice that this is not the most "easy" way of getting your information.

As an example if you execute last without any parameters you might see something like the below:
[root@temmpnode ~]# last -a
opc      pts/3        Fri Mar 17 08:42   still logged in    61.113.181.37
opc      pts/3        Fri Mar 17 07:45 - 07:45  (00:00)     61.113.181.37
opc      pts/2        Fri Mar 17 07:14 - 09:24  (02:10)     61.113.181.37
opc      pts/1        Fri Mar 17 07:09   still logged in    61.113.181.37
opc      pts/0        Fri Mar 17 07:03   still logged in    61.113.181.37


The last command has a number of parameters that can make your life more easy when trying to find out who did log into the system.

-f file
Tells last to use a specific file instead of /var/log/wtmp.

-num   
This is a count telling last how many lines to show.

-n num 
The same as -num

-t YYYYMMDDHHMMSS
Display  the  state of logins as of the specified time.  This is useful, e.g., to determine easily who was logged in at a particular time -- specify that time with -t and look for "still logged in".

-f file
Specifies a file to search other than /var/log/wtmp.

-R    
Suppresses the display of the hostname field.

-a    
Display the hostname in the last column. Useful in combination with the next flag.

-d    
For non-local logins, Linux stores not only the host name of the remote host but its IP number as well. This  option  translates  the  IP number back into a hostname.

-F    
Print full login and logout times and dates.

-i    
This  option is like -d in that it displays the IP number of the remote host, but it displays the IP number in numbers-and-dots notation.

-o    
Read an old-type wtmp file (written by linux-libc5 applications).

-w    
Display full user and domain names in the output.

-x    
Display the system shutdown entries and run level changes.

No comments: