Note
Disclaimer: This document may contain third-party product information, which is for informational purposes only. Alibaba Cloud does not make a guarantee in any form of the performance and reliability of the third-party products, and potential impacts of operations on these products.
Overview
This topic describes how to obtain user logon records from a Linux ECS instance.
Description
The relevant documents are described below.
- Information about a user's login is typically recorded in files such as
/var/run/utmp,/var/log/wtmp,/var/log/btmp, and/var/log/lastlog. - Commands such as who, w, and users use the
/var/run/utmpfile to query the information of the current logon user. - The last and ac commands use the
/var/log/wtmpfile to query information about users who are currently logged in to the system in the past. - The lastb command uses the
/var/log/btmpfile to query information about all users who fail to log in to the system. - The lastlog command uses the
/var/log/lastlogfile to query the information about the user's last logon.
The following table describes the related command functions and the returned results.
- The who command displays information about the current logon user. The following result is returned.
# who
root pts/0 2015-05-16 12:09 (XXX.XXX.XXX.XXX)
root pts/1 2015-05-16 12:54 (XXX.XXX.XXX.XXX)
root pts/2 2015-05-16 13:21 (XXX.XXX.XXX.XXX)
root pts/3 2015-05-16 13:21 (XXX.XXX.XXX.XXX)- The w command displays the current logon username and displays the tasks currently executed by the user. The following result is returned:
# w
15:41:39 up 5 days, 1:51, 7 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 XXX.XXX.XXX.XXX 12:09 2:14m 0.05s 0.05s mysql -ujacky -px xxxx
root pts/1 XXX.XXX.XXX.XXX 12:54 34:49 0.35s 0.35s mysql -ujacky -px xxxx
root pts/2 XXX.XXX.XXX.XXX 13:21 2:13m 0.00s 0.00s -bash- The users command displays the current logon username. The following result is returned.
# users
root root root root root root root- The last command displays information about the current and past users who logged on to the system. The following result is returned:
# last
root pts/6 XXX.XXX.XXX.XXX Sat May 16 15:31 still logged in
root pts/5 XXX.XXX.XXX.XXX Sat May 16 15:25 still logged in
root pts/4 XXX.XXX.XXX.XXX Sat May 16 15:07 still logged in
root pts/3 XXX.XXX.XXX.XXX Sat May 16 13:21 still logged in- The lastb command displays information about all users who fail to log on to the system. The return result is similar to the following.
# lastb
root ssh:notty XXX.XXX.XXX.XXX Sat May 16 02:06 - 02:06 (00:00)
root ssh:notty XXX.XXX.XXX.XXX Sat May 16 02:06 - 02:06 (00:00)
root ssh:notty XXX.XXX.XXX.XXX Sat May 16 01:58 - 01:58 (00:00)- The lastlog command displays information about the user's last logon. The following result is returned.
#lastlog
Username Port From Latest
root pts/6 XXX.XXX.XXX.XXX Sat May 16 15:31:48 +0800 2015
bin **Never logged in**
daemon **Never logged in**- You can view the logon record in the secure file. The following result is returned.
#cat /var/log/secureu
Jun 9 08:42:10 iZ25bvxoe7qZ sshd[21418]: Accepted password for root from XXX.XXX.XXX.XXX port 32907 ssh2
Jun 9 08:42:10 iZ25bvxoe7qZ sshd[21418]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun 9 08:42:10 iZ25bvxoe7qZ sshd[21420]: Accepted password for root from XXX.XXX.XXX.XXX port 33969 ssh2
Jun 9 08:42:10 iZ25bvxoe7qZ sshd[21420]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun 9 08:42:10 iZ25bvxoe7qZ sshd[21420]: subsystem request for sftp by user root
Applicable scope
- Elastic Compute Service (ECS)