How do I extract login history?
I need to know the login history for specific user (i.e. login and logout time), How do I extract this history for a specific date range in Linux ?
You can try the last command:
last john
It prints out the login/out history of user john. Whereas running just
last
prints out the login/out history of all users.
If you need to go further back in history than one month, you can read the /var/log/wtmp.1 file with the last command.
last -f wtmp.1 john will show the previous month's history of logins for user john.
The last log output isn't too heavy and relatively easy to parse, so I would probably pipe the output to grep to look for a specific date pattern.
last john | grep -E 'Aug (2[0-9]|30) ' to show August 20-30. Or something like:
last -f /var/log/wtmp.1 john | grep -E 'Jul (1[0-9]|2[0-9]|30) ' to acquire July 10-30 for user john.
How to extract login history for specific date range in Linux?
An example to list all users login from 25 to 28/Aug:
last | while read line
do
date=`date -d "$(echo $line | awk '{ print $5" "$6" "$7 }')" +%s`
[[ $date -ge `date -d "Aug 25 00:00" +%s` && $date -le `date -d "Aug 28 00:00" +%s` ]] && echo $line
done
-
awk '{ print $5" "$6" "$7 }'to extract the date time at corresponding column fromlastoutput -
+%sto convert datetime to Epoch time -
-gestand for greater than or equal -
-lestand for less than or equal
You can also do it for specific user with last <username>.