The last
command may show too few lines of user login info, truncated by when the “wtmp begins”.
If I want to get as much as possible last
info (e.g., to see if my system was accessed from any unknown/suspicious IP using my username), how can I output the older “last” info?
If I use last -2000
, intending to see 2000 lines of output, but the command may only return just a few lines, anything that happened before the “wtmp begins” would be truncated.)
Just wondering somehow if it is possible to output as many lines of login info as possible.
Best Answer
The
last
command uses the binary file/var/log/wtmp
to show a listing of last logged in users.But
/var/log/wtmp
is a rotated file where old entries are archived into/var/log/wtmp.x
where x is a digit[0-9]
.So If you need to look deeper in the login history, try to open one of those files: