How to Check Linux System Activity Logs: A Comprehensive Guide to User Login History and Session Monitoring


40 views

Linux maintains detailed logs in various files under /var/log. The most relevant files for user activity monitoring include:

/var/log/auth.log  # Authentication logs (Debian/Ubuntu)
/var/log/secure    # Authentication logs (RHEL/CentOS)
/var/log/wtmp      # Binary login records
/var/log/btmp      # Bad login attempts
/var/log/lastlog   # Last login records

The last command is just the beginning. Here are more powerful alternatives:

# Show login/logout history with details
last -a -i -d

# Show failed login attempts
lastb

# Display all sudo commands executed
grep sudo /var/log/auth.log

# Check user login sessions
who -u

# View current logged in users
w

For more detailed session tracking, consider these commands:

# Monitor user activity in real-time
watch -n 5 'w; echo; last -n 5'

# Check when users were active on the system
lastlog

# Find all terminal sessions and their durations
ps -eo pid,user,cmd,lstart,etime | grep bash

Create a script to generate a full activity report:

#!/bin/bash
echo "=== SYSTEM ACTIVITY REPORT ==="
echo "Generated on: $(date)"
echo -e "\n=== USER LOGIN HISTORY ==="
last -n 10
echo -e "\n=== CURRENTLY LOGGED IN USERS ==="
w
echo -e "\n=== RECENT SUDO COMMANDS ==="
grep sudo /var/log/auth.log | tail -n 10
echo -e "\n=== RECENT FAILED LOGINS ==="
lastb | head -n 10
echo -e "\n=== SYSTEM UPTIME ==="
uptime

Modify /etc/rsyslog.conf to increase logging detail:

# Enhanced auth logging
auth,authpriv.* /var/log/auth.log
authpriv.=debug /var/log/authdebug.log

# Session recording
*.* /var/log/session_audit.log

The Linux audit system provides enterprise-level monitoring:

# Install auditd
sudo apt install auditd  # Debian/Ubuntu
sudo yum install audit   # RHEL/CentOS

# Basic audit rules
sudo auditctl -a always,exit -F arch=b64 -S execve
sudo auditctl -w /etc/passwd -p wa -k passwd_changes

For graphical analysis, consider these tools:

# Install log analysis tools
sudo apt install goaccess lnav  # Debian/Ubuntu
sudo yum install goaccess lnav  # RHEL/CentOS

# Process auth logs
goaccess /var/log/auth.log --log-format=COMBINED

Linux maintains detailed logs in various system files. Here are the most important ones:

/var/log/auth.log  # Authentication logs (Debian/Ubuntu)
/var/log/secure   # Authentication logs (RHEL/CentOS)
/var/log/wtmp     # Binary login records
/var/log/btmp     # Failed login attempts
/var/log/lastlog  # Last login timestamps
/var/log/syslog   # General system activity

The last command reads from /var/log/wtmp and shows login sessions:

last -a | head -20
# Output shows username, terminal, IP, login duration

Check /var/log/btmp for failed login attempts using:

lastb -a | more
# Or parse auth logs:
grep "authentication failure" /var/log/auth.log

For comprehensive session tracking, use these commands:

# Check when users logged in/out
who /var/log/wtmp
lastlog

# Check sudo commands history
grep sudo /var/log/auth.log

# Check user commands history (if available)
cat ~/.bash_history

For systems using journald:

journalctl --since "2 days ago" -u systemd-logind
journalctl -b -n 1000 | grep -i "session opened"

Install and configure auditd for comprehensive tracking:

sudo apt install auditd  # Debian/Ubuntu
sudo yum install audit   # RHEL/CentOS

# Sample audit rules:
auditctl -a exit,always -F arch=b64 -S execve
auditctl -w /etc/passwd -p wa -k passwd_changes

# Query audit logs:
ausearch -k passwd_changes
aureport -l --summary

Combine multiple sources into a custom report:

#!/bin/bash
echo "=== USER LOGIN HISTORY ==="
last -a | head -10
echo "\n=== RECENT SUDO COMMANDS ==="
grep sudo /var/log/auth.log | tail -15
echo "\n=== FAILED LOGIN ATTEMPTS ==="
lastb -a | head -10