Alex Ruben
How To View Login History on Linux and Ubuntu
If you’re running Ubuntu, it’s kinda weird how the logs don’t always show everything straightforwardly. Sometimes, you need to dig into the Terminal and get a bit manual about it. Maybe you’re trying to see if someone logged in while you were away, or just curious about recent access. Whatever the reason, this guide stacks all the common commands and tricks to peek into login history—including successful logins and failed attempts—so you get a clearer picture of who’s been on your system. Expect to get comfortable with last, lastb, and maybe even some sudo magic, to really see what’s up. Just a heads up, it’s not always perfect—sometimes logs are cleared or rotated—but it’ll cover most typical cases.
How to Fix or Check Login History on Ubuntu
Check if the login logs are available and how to view successful logins
First, you wanna see recent successful logins. The simple command last usually does the trick — it’s been around forever in Linux. It pulls data from /var/log/wtmp, but sometimes if logs are rotated or cleared, you might not see everything. You VPN into the Terminal (Ctrl + Alt + T) and just type:
last
It’ll list recent logins with info like usernames, login times, and how long each session lasted. Watch out for “reboot” entries—they just mean your system was restarted, so that’s normal. What’s useful here is that you get a quick snapshot without much fuss. If you notice some weird usernames or strange login times, that might be worth a deeper dive.
How to see failed login attempts (because of course, some hackers try)
Now, to see failed login attempts, it’s a little trickier. Ubuntu doesn’t show failed attempts with last, but the command lastb will—if you have the right permissions. It reads from /var/log/btmp. If it’s not working right away, you might need admin rights, so just prepend sudo:
sudo lastb
This will output a list of failed tries — maybe you’ll see multiple attempts, which isn’t great news but at least you’re informed. Keep in mind, sometimes logs are rotated or not enabled for auditing, so don’t expect a foolproof system here.
Dealing with permissions — because Linux sometimes makes you work for it
If you get permission denied when running lastb, just add sudo. That’s how Linux keeps logs somewhat safe from tampering. Entering sudo lastb prompts for your password, then it’ll display the failed logins. On some setups, this command might not show anything if logging failed login attempts isn’t enabled or logs are wiped, but it’s worth a shot.
How to exit long logs when they flood your screen
If you’re poking around and the output is long—kind of annoying—you can exit by pressing Q. That’s the usual pager behavior. Sometimes the logs are huge, especially if you haven’t cleaned logs in a while, so consider redirecting or filtering if you’re hunting something specific.
Extra tips and common issues that trip people up
Keep in mind, logs depend on your system’s configuration. If you don’t see what you’re after, check whether logging services like rsyslog or systemd-journald are running properly. Also, logs might be rotated or expired after a certain period—so recent activity is usually fine, but older info might be gone. And if you’re paranoid, consider setting up more advanced logs—like Fail2Ban or auditd—to keep track of everything.
Another weird thing—sometimes running last or lastb on a fresh install shows next to nothing unless the logs are still intact. The same goes if logs have been cleared manually or during system cleanups. Just something to be aware of, because Windows has to make it harder than necessary, right?
Wrap-up
Spying on login history in Ubuntu isn’t super complicated, but it’s not exactly seamless either—depends how logs are managed. Most of the time, last and sudo lastb are your best bets. Keep tabs regularly, and if you notice something fishy, change passwords or tighten security. It’s a good way to stay ahead of potential issues. After a while, you get the hang of which logs mean what, and can spot unusual activity faster.
Summary
- Use
lastfor recent successful logins - Use
sudo lastbfor failed login attempts - Check logs are enabled and not rotated
- Remember, logs can be cleared or limited, so don’t rely on them 100%
- Monitor logs regularly if security’s a concern
Conclusion
Getting a handle on who’s been logging into your Ubuntu isn’t rocket science, but it’s sometimes frustrating if logs aren’t there or not detailed enough. Still, these commands cover most common scenarios. Keep an eye on the logs if you suspect someone’s trying to get in, and don’t forget to keep your system updated and secure—because of course, Linux has to make it a little more complicated than it needs to be. Hopefully, this saves someone a few hours of guessing and poking around.