How to see activity logs on a Linux PC?
I want to find out everything possible about how the PC was used in the past few days. Like who logged in, for how long was the PC was locked and any other information about user activity that is logged on the PC.
I know that last command can be used to find out who was logged in and for how long. Any other information that can be found out.
The last
command will show user logins, logouts, system reboots and run level changes.
The lastlog
command "reports the most recent login of all users".
The file /etc/syslog.conf
will show how your log files are configured. For example, it may show that auth
and authpriv.*
facilities are logged to /var/log/auth.log
. In other cases, such as Ubuntu, look at /etc/rsyslog.conf
and the files in /etc/rsyslog.d
for this information.
Your log files will probably be rotated, so in addition to looking at files such as /var/log/auth.log
, you may need to look in their older counterparts such as /var/log/auth.log.1
and /var/log/auth.log.n.gz
(using zcat
) where "n" could be any integer depending on how your rotation is set up.
Although the files can be manipulated by the users, sometimes you can look at ones such as ~username/.bash_history
. Even files like ~username/.lesshst
can have useful information if you really need to dig deep.
an insteresting way to see all activity in one shot.
egrep -r '(login|attempt|auth|success):' /var/log
you can change keywords (login|attempt|auth|success) with suitable ones according to your linux box. to add more use long pipe in paranthesis.
Check out the syslog messages in /var/log/* there is alot of good info there about what has been going on on your system.