How to view SSH user login log under Linux

The Linux login log is in the following directory:
Cd/var/log
To view the login log for an SSH user:
Less secure
Linux Log Management:

1. Introduction to the Log

Logs are important for security, and he records a variety of things that happen every day in the system, and you can check the cause of the error or the traces of an attacker's attack. The main functions of the log are: auditing and monitoring. He can also monitor system status in real time, monitor and trace intruders, and more.

In a Linux system, there are three main log subsystems:

Connection time Log-executed by multiple programs, writes records to/VAR/LOG/WTMP and/var/run/utmp,login and other programs to update wtmp and utmp files, enabling system administrators to track who is logged on to the system. Process statistics-performed by the system kernel. When a process terminates, write a record for each process toward the process statistics file (PACCT or acct). The purpose of process statistics is to provide command usage statistics for basic services in the system.

Error log-executed by SYSLOGD (8). Various system daemons, user programs, and cores report noteworthy events to file/var/log/messages through Syslog (3). There are also many UNIX programs that create logs. Servers that provide network services, such as HTTP and FTP, also maintain detailed logs. The usual log files are as follows:

Transmission of Access-log Record Http/web

Acct/pacct Record User Commands

Activities of the Aculog record modem

Btmp record of failed records

Lastlog records the most recent successful logon events and the last unsuccessful login

Messages Logging information from syslog (some links to syslog files)

Sudolog record commands with sudo

Use of the Sulog record using the SU command

Syslog logs information from a syslog (usually linked to a messages file)

Utmp record each user who is currently logged on

Wtmp a user's permanent record of each login entry and exit time

Xferlog Record FTP session

Utmp, wtmp, and lastlog log files are the key to most reuse of the UNIX log subsystem-keeping the log entry and exit records for the user. Information about the currently logged-on user is recorded in the file utmp, the login entry and exit record is in the file Wtmp, and the last login file can be viewed with the Lastlog command. Data exchange, shutdown, and restart are also recorded in the Wtmp file. All records contain timestamps. These files (usually not lastlog) grow very quickly in systems with a large number of users. For example, wtmp files can grow indefinitely unless intercepted on a regular basis. Many systems configure WTMP to be recycled in a single day or week. It is usually modified by a script run by Cron. These scripts are renamed and recycled using the Wtmp file. Typically, Wtmp is named WTMP.1 at the end of the first day, and then wtmp.1 into WTMP.2 and so on until wtmp. 7.

Each time a user logs in, the login program looks at the user's UID in the file Lastlog. If found, the user's last login, exit time, and host name are written to standard output, and the login program records the new logon time in Lastlog. After the new Lastlog record is written, the Utmp file is opened and inserted into the user's utmp record. This record is always deleted when the user logs on and exits. utmp files are used by various command files, including who, W, users, and finger.

Next, the login program opens the file wtmp additional user's utmp record. When the user logs on and exits, the same utmp record with the update timestamp is appended to the file. The Wtmp file is used by the program last and AC.

2. Specific commands

Wtmp and utmp files are binary files and they cannot be clipped or merged (using the Cat command) such as the tail command. Users need to use who, W, users, last, and AC to use the information contained in these two files.

The who:who command queries the utmp file and reports each user who is currently logged on. The WHO default output includes the user name, terminal type, logon date, and remote host. Example: Who (carriage return) shows

Chyang pts/o 18 15:06

Ynguo PTS/2 18 15:32

Ynguo PTS/3 18 13:55

Lewis PTS/4 18 13:35

Ynguo PTS/7 18 14:12

Ylou PTS/8 18 14:15

If the wtmp file name is indicated, the WHO command queries all previous records. The command who/var/log/wtmp the report every time since the Wtmp file was created or hacked.

The w:w command queries the utmp file and displays information about each user in the current system and the process it is running. For example: W (carriage return) display: 3:36pm up 1 day, 22:34, 6 users, load average:0.23, 0.29, 0.27

USER TTY from [email protected] IDLE jcpu PCPU

Chyang pts/0 202.38.68.242 3:06pm 2:04 0.08s 0.04s-bash

Ynguo pts/2 202.38.79.47 3:32pm 0.00s 0.14s 0.05 W

Lewis Pts/3 202.38.64.233 1:55pm 30:39 0.27s 0.22s-bash

Lewis Pts/4 202.38.64.233 1:35pm 6.00s 4.03s 0.01s sh/home/users/

Ynguo PTS/7 simba.nic.ustc.e 2:12pm 0.00s 0.47s 0.24s telnet Mail

Ylou pts/8 202.38.64.235 2:15pm 1:09m 0.10s 0.04s-bash

Users:users prints the currently logged-on user with a separate line, with each user name displayed with a login session. If a user has more than one logon session, then his username is displayed the same number of times. For example: Users (Enter) display: Chyang Lewis Lewis Ylou Ynguo Ynguo

The last:last command searches back wtmp to display the user who has logged in since the file was first created. For example:

Chyang PTS/9 202.38.68.242 Tue 1 08:34-11:23 (02:49)

Cfan PTS/6 202.38.64.224 Tue 1 08:33-08:48 (00:14)

Chyang PTS/4 202.38.68.242 Tue 1 08:32-12:13 (03:40)

Lewis Pts/3 202.38.64.233 Tue 1 08:06-11:09 (03:03)

Lewis Pts/2 202.38.64.233 Tue 1 07:56-11:09 (03:12)


Linux View logs:
# Cd/var/log
# Less secure
Or
# Less messages
Recently logged-in log:
# last

Finish

How to view SSH user login log under Linux