How to Extract User Login/Logout History with Date Range Filtering in Linux


39 views

Linux systems maintain detailed authentication logs that record user login and logout activities. The primary sources for this information are:

  • /var/log/auth.log (Debian/Ubuntu)
  • /var/log/secure (RHEL/CentOS)

To view login history for a specific user (e.g., "john"):

last -f /var/log/wtmp | grep john

For more precise date filtering, use this advanced command:

last -f /var/log/wtmp --since "2023-11-01" --until "2023-11-30" | awk '$1 == "john" {print}'

To get both login and logout times with session duration:

last -f /var/log/wtmp -F | grep "john" | awk '{print $1,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17}'

For systems using systemd (extracting from journalctl):

journalctl _SYSTEMD_UNIT=systemd-logind.service --since "2023-11-01" --until "2023-11-30" | grep "john"

For regular reporting, save this bash script as user_sessions.sh:

#!/bin/bash
USER=$1
START_DATE=$2
END_DATE=$3

echo "Session report for $USER from $START_DATE to $END_DATE"
echo "=========================================="

last -f /var/log/wtmp --since "$START_DATE" --until "$END_DATE" -F | \
awk -v user="$USER" '$1 == user {
    printf "Login: %s %s %s %s %s | Logout: %s %s %s %s | Duration: %s\n", 
    $5, $6, $7, $8, $9, $12, $13, $14, $15, $16
}'

For binary log files (wtmp/btmp):

utmpdump /var/log/wtmp | grep "john" | awk -F"[" '{print $2}' | awk -F"]" '{print $1}'
  • Logs may rotate (check /var/log/wtmp.1 etc.)
  • Root privileges may be needed for some log files
  • Time zone considerations affect timestamp interpretation
  • For SSH sessions, check /var/log/secure or /var/log/auth.log

Linux systems maintain comprehensive authentication records through several mechanisms:

/var/log/auth.log      # Debian/Ubuntu systems
/var/log/secure        # RHEL/CentOS systems
/var/log/wtmp          # Binary login records
/var/log/btmp          # Failed login attempts

The most straightforward way to check login history is using the last command:

last -f /var/log/wtmp | head -20  # View recent 20 entries
last username                     # Filter by specific user
last --since YYYY-MM-DD --until YYYY-MM-DD

Example for querying user 'john' between March 1-15, 2023:

last john --since 2023-03-01 --until 2023-03-15

For more detailed session information including logout times:

grep 'session opened' /var/log/auth.log | grep 'username'
grep 'session closed' /var/log/auth.log | grep 'username'

Advanced query with date range using awk:

awk '/Mar 1/ && /Mar 15/ && /session opened/ && /username/' /var/log/auth.log

For low-level analysis of binary log files:

sudo utmpdump /var/log/wtmp | grep username
sudo utmpdump /var/log/btmp | grep 'FAILED LOGIN'

Create a shell script to generate CSV reports:

#!/bin/bash
user=$1
start_date=$2
end_date=$3

echo "Username,Login Time,Logout Time,Duration,IP Address"
last -s "$start_date" -t "$end_date" -w -F "$user" | 
awk '/^'"$user"'/ {
    printf "%s,%s %s %s %s,%s %s %s %s,%s,%s\n",
    $1,$5,$6,$7,$8,$12,$13,$14,$15,$10,$3
}' | sed '/^$/d'

For systems with journald:

journalctl _SYSTEMD_UNIT=systemd-logind.service --since "2023-03-01" --until "2023-03-15"

Monitor real-time logins:

tail -f /var/log/auth.log | grep -E 'sshd|login'