All Products
Search
Document Center

Obtain user logon records on a Linux ECS instance

Last Updated: Apr 27, 2022

Disclaimer: This document may contain third-party product information, which is for informational purposes only. Alibaba Cloud does not make a guarantee in any form of the performance and reliability of the third-party products, and potential impacts of operations on these products.

 

Overview

This topic describes how to obtain user logon records from a Linux ECS instance.

 

Description

The relevant documents are described below.

  • Information about a user's login is typically recorded in files such as /var/run/utmp, /var/log/wtmp, /var/log/btmp, and /var/log/lastlog.
  • Commands such as who, w, and users use the /var/run/utmp file to query the information of the current logon user.
  • The last and ac commands use the /var/log/wtmp file to query information about users who are currently logged in to the system in the past.
  • The lastb command uses the /var/log/btmp file to query information about all users who fail to log in to the system.
  • The lastlog command uses the /var/log/lastlog file to query the information about the user's last logon.

 

The following table describes the related command functions and the returned results.

  • The who command displays information about the current logon user. The following result is returned.
# who
root     pts/0        2015-05-16 12:09 (XXX.XXX.XXX.XXX)
root     pts/1        2015-05-16 12:54 (XXX.XXX.XXX.XXX)
root     pts/2        2015-05-16 13:21 (XXX.XXX.XXX.XXX)
root     pts/3        2015-05-16 13:21 (XXX.XXX.XXX.XXX)
  • The w command displays the current logon username and displays the tasks currently executed by the user. The following result is returned:
# w
 15:41:39 up 5 days,  1:51,  7 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    XXX.XXX.XXX.XXX    12:09    2:14m  0.05s  0.05s mysql -ujacky -px xxxx 
root     pts/1    XXX.XXX.XXX.XXX    12:54   34:49   0.35s  0.35s mysql -ujacky -px xxxx
root     pts/2    XXX.XXX.XXX.XXX    13:21    2:13m  0.00s  0.00s -bash
  • The users command displays the current logon username. The following result is returned.
# users
root root root root root root root
  • The last command displays information about the current and past users who logged on to the system. The following result is returned:
# last
root     pts/6        XXX.XXX.XXX.XXX    Sat May 16 15:31   still logged in   
root     pts/5        XXX.XXX.XXX.XXX    Sat May 16 15:25   still logged in   
root     pts/4        XXX.XXX.XXX.XXX    Sat May 16 15:07   still logged in   
root     pts/3        XXX.XXX.XXX.XXX    Sat May 16 13:21   still logged in
  • The lastb command displays information about all users who fail to log on to the system. The return result is similar to the following.
# lastb
root     ssh:notty    XXX.XXX.XXX.XXX      Sat May 16 02:06 - 02:06  (00:00)    
root     ssh:notty    XXX.XXX.XXX.XXX      Sat May 16 02:06 - 02:06  (00:00)    
root     ssh:notty    XXX.XXX.XXX.XXX      Sat May 16 01:58 - 01:58  (00:00)
  • The lastlog command displays information about the user's last logon. The following result is returned.
#lastlog
Username         Port     From             Latest
root             pts/6    XXX.XXX.XXX.XXX  Sat May 16 15:31:48 +0800 2015
bin                                        **Never logged in**
daemon                                     **Never logged in**
  • You can view the logon record in the secure file. The following result is returned.
#cat /var/log/secureu 
Jun  9 08:42:10 iZ25bvxoe7qZ sshd[21418]: Accepted password for root from XXX.XXX.XXX.XXX port 32907 ssh2
Jun  9 08:42:10 iZ25bvxoe7qZ sshd[21418]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun  9 08:42:10 iZ25bvxoe7qZ sshd[21420]: Accepted password for root from XXX.XXX.XXX.XXX port 33969 ssh2
Jun  9 08:42:10 iZ25bvxoe7qZ sshd[21420]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun  9 08:42:10 iZ25bvxoe7qZ sshd[21420]: subsystem request for sftp by user root

 

Applicable scope

  • Elastic Compute Service (ECS)