The /var/log/wtmp file typically records user login sessions, but gets rotated by logrotate based on system configuration. When you run last and only see entries starting from Monday at 14:30, this indicates the log rotation occurred at that time.
For login history beyond wtmp rotation, consider these sources:
1. Systemd Journal (modern systems)
journalctl --list-boots | awk '{ print $1 }' | xargs -I{} journalctl -b {} -u systemd-logind2. Auth Log Parsing
The /var/log/auth.log (or /var/log/secure on RHEL) contains valuable login data:
grep -E "session opened|session closed" /var/log/auth.log* | \
awk '/session opened/ {print $1,$2,$3,$11,"logged in"} \
/session closed/ {print $1,$2,$3,$11,"logged out"}'3. Lastlog Database
For all users' last login times (regardless of wtmp rotation):
lastlog | grep -v "Never logged in"When standard logs are insufficient:
1. Auditd Logs
If auditd was configured to track logins:
ausearch -m USER_LOGIN -ts yesterday2. Historical WTMP Files
Check for compressed rotated files:
zcat /var/log/wtmp.*.gz | last -f -3. System Accounting (acct)
If process accounting was enabled:
lastcomm -f /var/account/pacct*To ensure better login history retention:
- Increase wtmp rotation frequency in
/etc/logrotate.conf - Configure remote syslog server for log aggregation
- Implement centralized authentication logging
The last command is indeed the standard tool for checking login history, but it only reads from /var/log/wtmp which gets rotated periodically. When wtmp gets rotated (typically by logrotate), older login records become inaccessible through standard tools.
Here are several methods to retrieve login information beyond wtmp's current rotation:
1. Check Archived wtmp Files
System administrators often compress old log files. Try:
last -f /var/log/wtmp.1
last -f /var/log/wtmp.2.gz
2. Parse auth.log (or secure)
The authentication log typically contains more historical data. For Debian/Ubuntu:
grep -i "session opened" /var/log/auth.log*
For RHEL/CentOS:
grep -i "session opened" /var/log/secure*
3. Systemd Journal (modern systems)
On systems using journald:
journalctl _SYSTEMD_UNIT=systemd-logind.service --since "2023-11-05" --until "2023-11-06"
Here's a Python script that combines multiple sources:
#!/usr/bin/env python3
import subprocess
from datetime import datetime, timedelta
def get_logins(days_back=2):
# Get current date
end_date = datetime.now()
start_date = end_date - timedelta(days=days_back)
# Try wtmp archives
try:
print("=== wtmp archives ===")
subprocess.run(["last", "-f", "/var/log/wtmp.1"], check=True)
except:
pass
# Check auth.log
print("\n=== auth.log entries ===")
try:
subprocess.run(["zgrep", "-h", "session opened",
f"/var/log/auth.log*"], check=True)
except:
try:
subprocess.run(["zgrep", "-h", "session opened",
f"/var/log/secure*"], check=True)
except:
print("No auth logs found")
# Try journalctl if available
print("\n=== journalctl entries ===")
try:
date_range = f"--since='{start_date.strftime('%Y-%m-%d')}' " \
f"--until='{end_date.strftime('%Y-%m-%d')}'"
subprocess.run(f"journalctl {date_range} -u systemd-logind | grep session",
shell=True, check=True)
except:
print("Journalctl not available")
if __name__ == "__main__":
get_logins(3)
To ensure you don't lose login history:
- Increase wtmp rotation frequency in
/etc/logrotate.conf - Consider centralizing logs with syslog-ng or rsyslog
- Implement a SIEM solution for long-term log retention
Remember that:
- You'll need root privileges to access most log files
- Log retention periods vary by distribution and configuration
- Some systems might have auditing (auditd) enabled which provides additional records