Ubuntu – How to read older login info using the “last” command

command line

The last command may show too few lines of user login info, truncated by when the “wtmp begins”.

If I want to get as much as possible last info (e.g., to see if my system was accessed from any unknown/suspicious IP using my username), how can I output the older “last” info?

If I use last -2000, intending to see 2000 lines of output, but the command may only return just a few lines, anything that happened before the “wtmp begins” would be truncated.)

Just wondering somehow if it is possible to output as many lines of login info as possible.

Best Answer

The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.

But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].

So If you need to look deeper in the login history, try to open one of those files:

last -2000 -f /var/log/wtmp.1 | less

Best Answer

Related Solutions

Ubuntu – Using last part of command for next command

Ubuntu – xubuntu xterm strange lag/echo issue with ssh

Related Question