How to read older login info using the “last” command?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







8















The last command may show too few lines of user login info, truncated by when the “wtmp begins”.



If I want to get as much as possible last info (e.g., to see if my system was accessed from any unknown/suspicious IP using my username), how can I output the older “last” info?



If I use last -2000, intending to see 2000 lines of output, but the command may only return just a few lines, anything that happened before the “wtmp begins” would be truncated.)



Just wondering somehow if it is possible to output as many lines of login info as possible.






command-line







share|improve this question

























  • last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970.

    – udiboy1209
    Apr 4 '14 at 7:41













  • that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect.

    – water stone
    Apr 4 '14 at 8:57


















8















The last command may show too few lines of user login info, truncated by when the “wtmp begins”.



If I want to get as much as possible last info (e.g., to see if my system was accessed from any unknown/suspicious IP using my username), how can I output the older “last” info?



If I use last -2000, intending to see 2000 lines of output, but the command may only return just a few lines, anything that happened before the “wtmp begins” would be truncated.)



Just wondering somehow if it is possible to output as many lines of login info as possible.






command-line







share|improve this question

























  • last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970.

    – udiboy1209
    Apr 4 '14 at 7:41













  • that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect.

    – water stone
    Apr 4 '14 at 8:57














8












8








8


3






The last command may show too few lines of user login info, truncated by when the “wtmp begins”.



If I want to get as much as possible last info (e.g., to see if my system was accessed from any unknown/suspicious IP using my username), how can I output the older “last” info?



If I use last -2000, intending to see 2000 lines of output, but the command may only return just a few lines, anything that happened before the “wtmp begins” would be truncated.)



Just wondering somehow if it is possible to output as many lines of login info as possible.






command-line







share|improve this question
















The last command may show too few lines of user login info, truncated by when the “wtmp begins”.



If I want to get as much as possible last info (e.g., to see if my system was accessed from any unknown/suspicious IP using my username), how can I output the older “last” info?



If I use last -2000, intending to see 2000 lines of output, but the command may only return just a few lines, anything that happened before the “wtmp begins” would be truncated.)



Just wondering somehow if it is possible to output as many lines of login info as possible.






command-line




command-line






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 3 '16 at 9:57









Zanna

51.3k13140243




51.3k13140243










asked Apr 4 '14 at 7:35









water stonewater stone

71128




71128













  • last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970.

    – udiboy1209
    Apr 4 '14 at 7:41













  • that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect.

    – water stone
    Apr 4 '14 at 8:57



















  • last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970.

    – udiboy1209
    Apr 4 '14 at 7:41













  • that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect.

    – water stone
    Apr 4 '14 at 8:57

















last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970.

– udiboy1209
Apr 4 '14 at 7:41







last -o might help. The man page says it reads old wtmp files. But on my system it doesn't give much info. Although, wtmp begins sets to Jan 1 1970.

– udiboy1209
Apr 4 '14 at 7:41















that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect.

– water stone
Apr 4 '14 at 8:57





that's funny. if you have more logins since 1970 than what are shown in your log, then some setting may be incorrect.

– water stone
Apr 4 '14 at 8:57










3 Answers
3






active

oldest

votes


















11














The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.



But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].



So If you need to look deeper in the login history, try to open one of those files:



last -2000 -f /var/log/wtmp.1 | less





share|improve this answer


























  • To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

    – souravc
    Apr 4 '14 at 8:01













  • Good idea, thanks @souravc. I've edited my answer.

    – Sylvain Pineau
    Apr 4 '14 at 8:03











  • Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

    – water stone
    Apr 4 '14 at 8:21













  • Please create a new question to cover how many rotations should be archived.

    – Sylvain Pineau
    Apr 4 '14 at 8:26



















0














Update



Logs in 



/var/log/wtmp.1


are constrained.



Ubuntu 16 and probably 17 have mechanism of deleting logs older than one month. To configure this behavior you should edit:



/etc/logrotate.conf


More info:




Access to logs of startup and shut down







share|improve this answer































    0














    If the last -f /var/log/wtmp.1 doesn't give any output this can be because e.g. the record length has changed in a newer version.



    A simply option would be then to use utmpdump instead:



    utmpdump /var/log/wtmp.1  | less


    Oh, and less can be quitted using q (from "quit" ;-) )






    share|improve this answer


























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "89"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f443206%2fhow-to-read-older-login-info-using-the-last-command%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      11














      The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.



      But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].



      So If you need to look deeper in the login history, try to open one of those files:



      last -2000 -f /var/log/wtmp.1 | less





      share|improve this answer


























      • To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

        – souravc
        Apr 4 '14 at 8:01













      • Good idea, thanks @souravc. I've edited my answer.

        – Sylvain Pineau
        Apr 4 '14 at 8:03











      • Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

        – water stone
        Apr 4 '14 at 8:21













      • Please create a new question to cover how many rotations should be archived.

        – Sylvain Pineau
        Apr 4 '14 at 8:26
















      11














      The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.



      But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].



      So If you need to look deeper in the login history, try to open one of those files:



      last -2000 -f /var/log/wtmp.1 | less





      share|improve this answer


























      • To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

        – souravc
        Apr 4 '14 at 8:01













      • Good idea, thanks @souravc. I've edited my answer.

        – Sylvain Pineau
        Apr 4 '14 at 8:03











      • Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

        – water stone
        Apr 4 '14 at 8:21













      • Please create a new question to cover how many rotations should be archived.

        – Sylvain Pineau
        Apr 4 '14 at 8:26














      11












      11








      11







      The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.



      But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].



      So If you need to look deeper in the login history, try to open one of those files:



      last -2000 -f /var/log/wtmp.1 | less





      share|improve this answer















      The last command uses the binary file /var/log/wtmp to show a listing of last logged in users.



      But /var/log/wtmp is a rotated file where old entries are archived into /var/log/wtmp.x where x is a digit [0-9].



      So If you need to look deeper in the login history, try to open one of those files:



      last -2000 -f /var/log/wtmp.1 | less






      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Apr 4 '14 at 8:03

























      answered Apr 4 '14 at 7:58









      Sylvain PineauSylvain Pineau

      49.5k16107151




      49.5k16107151













      • To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

        – souravc
        Apr 4 '14 at 8:01













      • Good idea, thanks @souravc. I've edited my answer.

        – Sylvain Pineau
        Apr 4 '14 at 8:03











      • Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

        – water stone
        Apr 4 '14 at 8:21













      • Please create a new question to cover how many rotations should be archived.

        – Sylvain Pineau
        Apr 4 '14 at 8:26



















      • To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

        – souravc
        Apr 4 '14 at 8:01













      • Good idea, thanks @souravc. I've edited my answer.

        – Sylvain Pineau
        Apr 4 '14 at 8:03











      • Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

        – water stone
        Apr 4 '14 at 8:21













      • Please create a new question to cover how many rotations should be archived.

        – Sylvain Pineau
        Apr 4 '14 at 8:26

















      To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

      – souravc
      Apr 4 '14 at 8:01







      To read 2000 line in terminal it is better to pass it to less as last -2000 -f /var/log/wtmp.1| less, +1 for nice answer

      – souravc
      Apr 4 '14 at 8:01















      Good idea, thanks @souravc. I've edited my answer.

      – Sylvain Pineau
      Apr 4 '14 at 8:03





      Good idea, thanks @souravc. I've edited my answer.

      – Sylvain Pineau
      Apr 4 '14 at 8:03













      Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

      – water stone
      Apr 4 '14 at 8:21







      Thank you so very much! I noticed that the wtmp.1 file was automatically gzipped into wtmp.1.gz file, so I unzipped it, and used "last -f" to read, that is exactly what I needed. Thank you so much. Btw, the wtmp.1 seems still too recent, and I only have wtmp1 file (no other files such as wtmp2 etc in /var/log), if I want my system to store more info, how can I change the default system setting for this purpose?

      – water stone
      Apr 4 '14 at 8:21















      Please create a new question to cover how many rotations should be archived.

      – Sylvain Pineau
      Apr 4 '14 at 8:26





      Please create a new question to cover how many rotations should be archived.

      – Sylvain Pineau
      Apr 4 '14 at 8:26













      0














      Update



      Logs in 



      /var/log/wtmp.1


      are constrained.



      Ubuntu 16 and probably 17 have mechanism of deleting logs older than one month. To configure this behavior you should edit:



      /etc/logrotate.conf


      More info:




      Access to logs of startup and shut down







      share|improve this answer




























        0














        Update



        Logs in 



        /var/log/wtmp.1


        are constrained.



        Ubuntu 16 and probably 17 have mechanism of deleting logs older than one month. To configure this behavior you should edit:



        /etc/logrotate.conf


        More info:




        Access to logs of startup and shut down







        share|improve this answer


























          0












          0








          0







          Update



          Logs in 



          /var/log/wtmp.1


          are constrained.



          Ubuntu 16 and probably 17 have mechanism of deleting logs older than one month. To configure this behavior you should edit:



          /etc/logrotate.conf


          More info:




          Access to logs of startup and shut down







          share|improve this answer













          Update



          Logs in 



          /var/log/wtmp.1


          are constrained.



          Ubuntu 16 and probably 17 have mechanism of deleting logs older than one month. To configure this behavior you should edit:



          /etc/logrotate.conf


          More info:




          Access to logs of startup and shut down








          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jun 15 '17 at 14:15









          DanielDaniel

          187110




          187110























              0














              If the last -f /var/log/wtmp.1 doesn't give any output this can be because e.g. the record length has changed in a newer version.



              A simply option would be then to use utmpdump instead:



              utmpdump /var/log/wtmp.1  | less


              Oh, and less can be quitted using q (from "quit" ;-) )






              share|improve this answer






























                0














                If the last -f /var/log/wtmp.1 doesn't give any output this can be because e.g. the record length has changed in a newer version.



                A simply option would be then to use utmpdump instead:



                utmpdump /var/log/wtmp.1  | less


                Oh, and less can be quitted using q (from "quit" ;-) )






                share|improve this answer




























                  0












                  0








                  0







                  If the last -f /var/log/wtmp.1 doesn't give any output this can be because e.g. the record length has changed in a newer version.



                  A simply option would be then to use utmpdump instead:



                  utmpdump /var/log/wtmp.1  | less


                  Oh, and less can be quitted using q (from "quit" ;-) )






                  share|improve this answer















                  If the last -f /var/log/wtmp.1 doesn't give any output this can be because e.g. the record length has changed in a newer version.



                  A simply option would be then to use utmpdump instead:



                  utmpdump /var/log/wtmp.1  | less


                  Oh, and less can be quitted using q (from "quit" ;-) )







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Feb 12 at 11:10









                  Mr Shunz

                  2,49121922




                  2,49121922










                  answered Feb 12 at 10:37









                  KeesKees

                  1




                  1






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Ask Ubuntu!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f443206%2fhow-to-read-older-login-info-using-the-last-command%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      Biblatex bibliography style without URLs when DOI exists (in Overleaf with Zotero bibliography)

                      Image
                      2 2 I have a Zotero bibliography in Overleaf. I use biblatex . usepackage[backend=biber,citestyle=authoryear]{biblatex} addbibresource{zoteroALH.bib} Bibliography entries look like: @book{de_saint-gervais_uniformization_2016, title = {Uniformization of {Riemann} {Surfaces}}, isbn = {978-3-03719-145-3}, url = {https://www.ems-ph.org/books/book.php?proj_nr=198&srch=series%7Chem}, urldate = {2019-02-03}, author = {de Saint-Gervais, Paul Henri}, year = {2016}, doi = {10.4171/145} } In the bibliography down the paper the reference shows like this: There is the DOI, great, but also the URL which is unnecessary when the DOI is there. How can I remove the URL when the DOI is present? biblatex bibliographies overleaf zote
                      Read more

                      ComboBox Display Member on multiple fields

                      Image
                      2 I'm trying to set the .DisplayMember property of a ComboBox in C#, but I want to bind it to multiple columns in the .DataSouce . My SQL looks like this: SELECT PersNbr, PersFirstName, PersMiddleName, PersLastName FROM Pers WHERE PersNbr = :persNbr; I'm saving this query in a DataTable so each column selected has it's own column in the Datatable . I want to make the .DisplayMember a combination of PersFirstName + PersMiddleName + PersLastName so their full name appears like this: comboBox.DisplayMemeber = "PersFirstName" + "PersMiddleName" + "PersLastName" I know I can just to this on the query: SELECT PersNbr, (PersFirstName || PersMiddleName || PersLastName) PersName and then just do this: comboBox.DisplayMember = "PersName"; but I
                      Read more

                      Is it possible to collect Nectar points via Trainline?

                      Image
                      2 Since I am not eligible for any Railcard, the only available discount/bonus scheme is Nectar Card for me. GWR, SWR, LNER and Virgin Trains allow to collect Nectar points and I have already linked a card to my GWR account. A friend suggested me to use Trainline App, because it can search for bus tickets either. I had a look at the application, but could not see any option for Nectar. Is there a way to collect Nectar points when I buy tickets via Trainline? uk trains loyalty-programs trainline share | improve this question asked Dec 2 '18 at 15:50 ahmedus 3,224 5 19 49
                      Read more