How to read older login info using the “last” command?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







8















The last command may show too few lines of user login info, truncated by when the “wtmp begins”.



If I want to get as much as possible last info (e.g., to see if my system was accessed from any unknown/suspicious IP using my username), how can I output the older “last” info?



If I use last -2000, intending to see 2000 lines of output, but the command may only return just a few lines, anything that happened before the “wtmp begins” would be truncated.)



Just wondering somehow if it is possible to output as many lines of login info as possible.






command-line







share|improve this question

























  • last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970.

    – udiboy1209
    Apr 4 '14 at 7:41













  • that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect.

    – water stone
    Apr 4 '14 at 8:57


















8















The last command may show too few lines of user login info, truncated by when the “wtmp begins”.



If I want to get as much as possible last info (e.g., to see if my system was accessed from any unknown/suspicious IP using my username), how can I output the older “last” info?



If I use last -2000, intending to see 2000 lines of output, but the command may only return just a few lines, anything that happened before the “wtmp begins” would be truncated.)



Just wondering somehow if it is possible to output as many lines of login info as possible.






command-line







share|improve this question

























  • last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970.

    – udiboy1209
    Apr 4 '14 at 7:41













  • that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect.

    – water stone
    Apr 4 '14 at 8:57














8












8








8


3






The last command may show too few lines of user login info, truncated by when the “wtmp begins”.



If I want to get as much as possible last info (e.g., to see if my system was accessed from any unknown/suspicious IP using my username), how can I output the older “last” info?



If I use last -2000, intending to see 2000 lines of output, but the command may only return just a few lines, anything that happened before the “wtmp begins” would be truncated.)



Just wondering somehow if it is possible to output as many lines of login info as possible.






command-line







share|improve this question
















The last command may show too few lines of user login info, truncated by when the “wtmp begins”.



If I want to get as much as possible last info (e.g., to see if my system was accessed from any unknown/suspicious IP using my username), how can I output the older “last” info?



If I use last -2000, intending to see 2000 lines of output, but the command may only return just a few lines, anything that happened before the “wtmp begins” would be truncated.)



Just wondering somehow if it is possible to output as many lines of login info as possible.






command-line




command-line






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 3 '16 at 9:57









Zanna

51.3k13140243




51.3k13140243










asked Apr 4 '14 at 7:35









water stonewater stone

71128




71128













  • last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970.

    – udiboy1209
    Apr 4 '14 at 7:41













  • that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect.

    – water stone
    Apr 4 '14 at 8:57



















  • last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970.

    – udiboy1209
    Apr 4 '14 at 7:41













  • that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect.

    – water stone
    Apr 4 '14 at 8:57

















last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970.

– udiboy1209
Apr 4 '14 at 7:41







last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970.

– udiboy1209
Apr 4 '14 at 7:41















that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect.

– water stone
Apr 4 '14 at 8:57





that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect.

– water stone
Apr 4 '14 at 8:57










3 Answers
3






active

oldest

votes


















11














The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.



But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].



So If you need to look deeper in the login history, try to open one of those files:



last -2000 -f /var/log/wtmp.1 | less





share|improve this answer


























  • To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

    – souravc
    Apr 4 '14 at 8:01













  • Good idea, thanks @souravc. I've edited my answer.

    – Sylvain Pineau
    Apr 4 '14 at 8:03











  • Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

    – water stone
    Apr 4 '14 at 8:21













  • Please create a new question to cover how many rotations should be archived.

    – Sylvain Pineau
    Apr 4 '14 at 8:26



















0














Update



Logs in 



/var/log/wtmp.1


are constrained.



Ubuntu 16 and probably 17 have mechanism of deleting logs older than one month. To configure this behavior you should edit:



/etc/logrotate.conf


More info:




Access to logs of startup and shut down







share|improve this answer































    0














    If the last -f /var/log/wtmp.1 doesn't give any output this can be because e.g. the record length has changed in a newer version.



    A simply option would be then to use utmpdump instead:



    utmpdump /var/log/wtmp.1  | less


    Oh, and less can be quitted using q (from "quit" ;-) )






    share|improve this answer


























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "89"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f443206%2fhow-to-read-older-login-info-using-the-last-command%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      11














      The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.



      But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].



      So If you need to look deeper in the login history, try to open one of those files:



      last -2000 -f /var/log/wtmp.1 | less





      share|improve this answer


























      • To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

        – souravc
        Apr 4 '14 at 8:01













      • Good idea, thanks @souravc. I've edited my answer.

        – Sylvain Pineau
        Apr 4 '14 at 8:03











      • Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

        – water stone
        Apr 4 '14 at 8:21













      • Please create a new question to cover how many rotations should be archived.

        – Sylvain Pineau
        Apr 4 '14 at 8:26
















      11














      The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.



      But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].



      So If you need to look deeper in the login history, try to open one of those files:



      last -2000 -f /var/log/wtmp.1 | less





      share|improve this answer


























      • To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

        – souravc
        Apr 4 '14 at 8:01













      • Good idea, thanks @souravc. I've edited my answer.

        – Sylvain Pineau
        Apr 4 '14 at 8:03











      • Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

        – water stone
        Apr 4 '14 at 8:21













      • Please create a new question to cover how many rotations should be archived.

        – Sylvain Pineau
        Apr 4 '14 at 8:26














      11












      11








      11







      The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.



      But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].



      So If you need to look deeper in the login history, try to open one of those files:



      last -2000 -f /var/log/wtmp.1 | less





      share|improve this answer















      The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.



      But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].



      So If you need to look deeper in the login history, try to open one of those files:



      last -2000 -f /var/log/wtmp.1 | less






      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Apr 4 '14 at 8:03

























      answered Apr 4 '14 at 7:58









      Sylvain PineauSylvain Pineau

      49.5k16107151




      49.5k16107151













      • To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

        – souravc
        Apr 4 '14 at 8:01













      • Good idea, thanks @souravc. I've edited my answer.

        – Sylvain Pineau
        Apr 4 '14 at 8:03











      • Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

        – water stone
        Apr 4 '14 at 8:21













      • Please create a new question to cover how many rotations should be archived.

        – Sylvain Pineau
        Apr 4 '14 at 8:26



















      • To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

        – souravc
        Apr 4 '14 at 8:01













      • Good idea, thanks @souravc. I've edited my answer.

        – Sylvain Pineau
        Apr 4 '14 at 8:03











      • Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

        – water stone
        Apr 4 '14 at 8:21













      • Please create a new question to cover how many rotations should be archived.

        – Sylvain Pineau
        Apr 4 '14 at 8:26

















      To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

      – souravc
      Apr 4 '14 at 8:01







      To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

      – souravc
      Apr 4 '14 at 8:01















      Good idea, thanks @souravc. I've edited my answer.

      – Sylvain Pineau
      Apr 4 '14 at 8:03





      Good idea, thanks @souravc. I've edited my answer.

      – Sylvain Pineau
      Apr 4 '14 at 8:03













      Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

      – water stone
      Apr 4 '14 at 8:21







      Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

      – water stone
      Apr 4 '14 at 8:21















      Please create a new question to cover how many rotations should be archived.

      – Sylvain Pineau
      Apr 4 '14 at 8:26





      Please create a new question to cover how many rotations should be archived.

      – Sylvain Pineau
      Apr 4 '14 at 8:26













      0














      Update



      Logs in 



      /var/log/wtmp.1


      are constrained.



      Ubuntu 16 and probably 17 have mechanism of deleting logs older than one month. To configure this behavior you should edit:



      /etc/logrotate.conf


      More info:




      Access to logs of startup and shut down







      share|improve this answer




























        0














        Update



        Logs in 



        /var/log/wtmp.1


        are constrained.



        Ubuntu 16 and probably 17 have mechanism of deleting logs older than one month. To configure this behavior you should edit:



        /etc/logrotate.conf


        More info:




        Access to logs of startup and shut down







        share|improve this answer


























          0












          0








          0







          Update



          Logs in 



          /var/log/wtmp.1


          are constrained.



          Ubuntu 16 and probably 17 have mechanism of deleting logs older than one month. To configure this behavior you should edit:



          /etc/logrotate.conf


          More info:




          Access to logs of startup and shut down







          share|improve this answer













          Update



          Logs in 



          /var/log/wtmp.1


          are constrained.



          Ubuntu 16 and probably 17 have mechanism of deleting logs older than one month. To configure this behavior you should edit:



          /etc/logrotate.conf


          More info:




          Access to logs of startup and shut down








          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jun 15 '17 at 14:15









          DanielDaniel

          187110




          187110























              0














              If the last -f /var/log/wtmp.1 doesn't give any output this can be because e.g. the record length has changed in a newer version.



              A simply option would be then to use utmpdump instead:



              utmpdump /var/log/wtmp.1  | less


              Oh, and less can be quitted using q (from "quit" ;-) )






              share|improve this answer






























                0














                If the last -f /var/log/wtmp.1 doesn't give any output this can be because e.g. the record length has changed in a newer version.



                A simply option would be then to use utmpdump instead:



                utmpdump /var/log/wtmp.1  | less


                Oh, and less can be quitted using q (from "quit" ;-) )






                share|improve this answer




























                  0












                  0








                  0







                  If the last -f /var/log/wtmp.1 doesn't give any output this can be because e.g. the record length has changed in a newer version.



                  A simply option would be then to use utmpdump instead:



                  utmpdump /var/log/wtmp.1  | less


                  Oh, and less can be quitted using q (from "quit" ;-) )






                  share|improve this answer















                  If the last -f /var/log/wtmp.1 doesn't give any output this can be because e.g. the record length has changed in a newer version.



                  A simply option would be then to use utmpdump instead:



                  utmpdump /var/log/wtmp.1  | less


                  Oh, and less can be quitted using q (from "quit" ;-) )







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Feb 12 at 11:10









                  Mr Shunz

                  2,49121922




                  2,49121922










                  answered Feb 12 at 10:37









                  KeesKees

                  1




                  1






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Ask Ubuntu!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f443206%2fhow-to-read-older-login-info-using-the-last-command%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      How to change which sound is reproduced for terminal bell?

                      Image
                      3 Recently upgrade to 18.10 from 18.04, and using the terminal is becoming annoying: the new alert sound is a drip ( /usr/share/sounds/gnome/default/alerts/drip.ogg ), and the previous one is still located at ( /usr/share/sounds/ubuntu/stereo/bell.ogg ). My issue is that at the gnome-terminal, when autocompleting or pressing left BOTH sounds are reproduced, at the same time. I want to just have ubuntu/stereo/bell.ogg active, not both . At the moment I have been only able to reduce the volume of the alerts (but still both are played), or turn the alerts down (but I dislike both "solutions"). gnome-terminal 18.10 teminal-bell share | improve this question
                      Read more

                      Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

                      Image
                      up vote 5 down vote favorite 2 I would like to make it so that the vertical space below the title of each chapter is the same when using the Bjornstrup package (i.e. so that the descenders do not affect the spacing - as shown by the red arrow in the picture below). I think I'm fairly happy with the spacing around "A chapter", so I'd really like titles without descenders (e.g. "Contents") to have the same vertical spacing as "A chapter" below the title. I would also like to remove the large "0" in the contents title. Any help appreciated, as always. documentclass[11pt,a4paper]{book} % Packages[![enter image description here][1]][1] usepackage[left=3.5cm, right=3.5cm, top=4.3cm, bottom=4.25cm]{geometry} usepackage[utf8]{inputenc} usepackage{libertine} usepackage[libertine]{newtx
                      Read more

                      Can I use Tabulator js library in my java Spring + Thymeleaf project?

                      Image
                      0 I want to add Tabulator js to my java project. I added tabulator.min.js, tabulator.min.css to resources folder. After that added to my html page these dependencies as recommending in readme.md. <link rel="stylesheet" th:href="@{/css/tabulator.min.css}"> <script type="text/javascript" th:src="@{/js/tabulator.min.js}"></script> Now my tables view all elements, that I have in the html page, but not correct. In the documentation of Tabulator is example how to create header and table, var table = new Tabulator("#example-table", { columns:[ {title:"Name", field:"name", sorter:"string", width:200, editor:true}, {title:"Age", field:"age", sorter:"
                      Read more