Quickly list successful and failed user logins to investigate access patterns and spot anomalies. 16.11.2025 | reading time: 2 min Want to know who used your system and when? Use the `last` and `lastlog` utilities to read recorded logins from the system files and get a clear timeline of successful, failed and stale accounts. Show recent logins Demonstration: run `last` to list recent sessions; here is a compact example showing command and output in one block: ```bash $ sudo last -n 5 alice pts/0 192.0.2.10 Fri Nov 14 09:12 - 09:45 (00:33) bob pts/1 :0 Thu Nov 13 14:01 - 14:10 (00:09) charlie pts/2 203.0.113.5 Wed Nov 12 17:20 - 17:50 (00:30) reboot system boot 5.4.0-66-generic Tue Nov 11 10:00 - 10:05 (00:05) wtmp begins Sun Nov 10 00:00 ``` Find failed attempts and last seen To list failed logins use `lastb` (reads `/var/log/btmp`) and to see the last login time for every account use `lastlog` (reads `/var/log/lastlog`); both require read access to those files and `lastb` usually needs root privileges. Correlate with system logs Combine `last` output with `journalctl` or the audit subsystem to get context: `journalctl _COMM=sshd` shows SSH connection messages, and `ausearch -m USER_LOGIN` finds audited login events when auditd is enabled. When and why to dive deeper Use these tools to investigate suspicious access, to prepare compliance reports, or to clean up ghost accounts; automated scripts can parse `last` output for trends, while `lastlog` helps find accounts that never log in. Keep learning Mastering login-history commands is a stepping stone: audit logs, central log servers and incident response broaden the view; sharpen skills and consider formal certification such as CompTIA Linux+ or LPIC-1 with intensive exam preparation at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. security utilities troubleshooting
