View Centos User Logon records

View Centos User Logon records
First, we will briefly introduce the log files that record login information in Centos. Information about the current login user is recorded in the file utmp; logon entry and exit records are recorded in the file wtmp; you can use the lastlog command to view the last logon file.

Data exchange, shutdown, and restart are also recorded in the wtmp file. All records contain timestamps.
Each time a user logs on, the login program checks the user's UID in the lastlog file. If the logon time is found, the user's Last Logon Time, exit time, and host name are written to the standard output, and the login program records the new Logon Time in lastlog.
After a new lastlog is written, the utmp file is opened and the user's utmp record is inserted. This record is always used when a user logs on and exits. The utmp file is used by various command files, including who, w, users, and finger.
Next, the login program opens the file wtmp and appends the user's utmp record. When a user logs on and exits, the same utmp record with the updated timestamp is appended to the file. The wtmp file is used by the program last and ac.
The wtmp and utmp files are binary files. You need to use the information contained in these files using who, w, users, last, and ac.

The following describes how to view the Centos User Logon log.

1. who: The who command queries the utmp file and reports to each user currently logged on. The default output of Who includes the user name, terminal type, logon date, and remote host. Example: who (Press ENTER) display

The Code is as follows:

Root pts/0 (218.2.11.178)

2. If the wtmp file name is specified, the who command will query the logon records recorded before www.111cn. Net. Run the who/var/log/wtmp command to view all logon records. The result is as follows:

The Code is as follows:

Lxy ftpd5946 2013-01-09 16:48 (218.2.11.178)
Ipfangwen ftpd6036 2013-01-09 16:49 (218.2.11.178)
Zhaiken ftpd6064 2013-01-09 16:50 (218.2.11.178)
Beifen ftpd6065 2013-01-09 16:50 (218.2.11.178)
Root pts/0 (218.2.11.178)
Lxy ftpd9472 (218.2.11.178)
Lxy ftpd9482 2013-01-09 1731 (218.2.11.178)
Root pts/0 (218.2.11.178)
Dy. lxy. me ftpd9801 2013-01-25 16:15 (218.2.11.178)

3. last: The last command searches back for wtmp to display the users who have logged on since the first file creation. For example:

The Code is as follows:

Root pts/0 218.2.11.178 Tue Mar 4 10:03 still logged in
Root pts/0 218.2.11.178 Wed Feb 26)
Lxy ftpd18086 218.2.11.178 Wed Oct 9)
Root pts/0 218.2.11.178 Tue Oct 8)