在Linux系统中获取用户登录记录的命令

概述

• 用户的登录信息通常记录在/var/run/utmp、/var/log/wtmp、/var/log/btmp、/var/lastlog等文件中。

• who、w和users等命令通过/var/run/utmp文件查询当前登录用户的信息。

• last和ac命令通过/var/run/wtmp文件查询当前与过去登录系统的用户的信息。

• lastb命令通过/var/log/btmp文件查询所有登录系统失败的用户的信息。

• lastlog命令通过/var/log/lastlog文件查询用户最后一次登录的信息。

例子

• who命令显示当前登录用户的信息。

#who
root      pts/0        2024-08-29   15:00   (XXX.XXX.XXX.XXX)
root      pts/1        2024-08-29   13:24   (XXX.XXX.XXX.XXX)
root      pts/2        2024-08-29   12:12   (XXX.XXX.XXX.XXX)

• w命令显示当前登录的用户名并显示该用户当前执行的任务：

# w
 16:31:54 up  8:12,  1 user,  load average: 0.07, 0.06, 0.07
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    XXX.XXX.XXX.XXX   15:27    1.00s  0.05s  0.00s w

• users命令显示当前登录的用户名：

# users
root root root 

• last命令显示当前与过去登录系统的用户信息：

# last
 root     pts/0        112.37.128.201   Thu Aug 29 15:27   still logged in
root     pts/2        112.37.128.201   Thu Aug 29 13:00 - 15:23  (02:23)
root     pts/1        112.37.128.201   Thu Aug 29 12:59 - 13:00  (00:00)
root     pts/0        112.37.128.201   Thu Aug 29 12:11 - 15:04  (02:53)
root     pts/3        112.37.128.201   Thu Aug 29 09:17 - 13:24  (04:06)
root     pts/2        112.37.128.201   Thu Aug 29 09:04 - 11:17  (02:13)
root     pts/1        112.37.128.201   Thu Aug 29 08:50 - 11:04  (02:13)
root     pts/0        112.37.128.201   Thu Aug 29 08:25 - 10:39  (02:13)
reboot   system boot  5.10.134-17.al8. Thu Aug 29 08:19   still running

• lastb命令显示所有登录系统失败的用户的信息:

# lastb

mongodb  ssh:notty    8.218.xx.123     Fri Aug  2 07:37 - 07:37  (00:00)
alex     ssh:notty    8.218.xx.123     Fri Aug  2 07:35 - 07:35  (00:00)
nico     ssh:notty    8.218.xx.123     Fri Aug  2 07:32 - 07:32  (00:00)
axioma   ssh:notty    8.218.xx.123     Fri Aug  2 07:32 - 07:32  (00:00)
relay    ssh:notty    8.218.xx.123     Fri Aug  2 07:30 - 07:30  (00:00)
mgonzale ssh:notty    8.218.xx.123     Fri Aug  2 07:29 - 07:29  (00:00)
ray      ssh:notty    8.218.xx.123     Fri Aug  2 07:28 - 07:28  (00:00)
lgsm     ssh:notty    8.218.xx.123     Fri Aug  2 07:27 - 07:27  (00:00)
postgres ssh:notty    8.218.xx.123     Fri Aug  2 07:26 - 07:26  (00:00)
         ssh:notty    65.xx.x.71       Fri Aug  2 03:05 - 03:05  (00:00)
test02   ssh:notty    47.108.xx.39     Thu Aug  1 20:08 - 20:08  (00:00)
admin5   ssh:notty    47.108.xx.39     Thu Aug  1 20:07 - 20:07  (00:00)
debian   ssh:notty    47.108.xx.39     Thu Aug  1 20:06 - 20:06  (00:00)
es       ssh:notty    47.108.xx.39     Thu Aug  1 20:04 - 20:04  (00:00)
admin    ssh:notty    47.108.xx.39     Thu Aug  1 20:03 - 20:03  (00:00)
testuser ssh:notty    47.108.xx.39     Thu Aug  1 19:59 - 19:59  (00:00)
         ssh:notty    44.220.xx.253   Thu Aug  1 13:03 - 13:03  (00:00)

• lastlog命令显示最后一次登录的信息:

# lastlog
Username         Port     From             Latest
root             pts/0    XXX.XX.XXX.XXX   Thu Aug 21 15:27:22 +0800 2024
bin                                        **Never logged in**
daemon                                     **Never logged in**
adm                                        **Never logged in**
lp                                         **Never logged in**
sync                                       **Never logged in**
shutdown                                   **Never logged in**
halt                                       **Never logged in**
mail                                       **Never logged in**
operator                                   **Never logged in**
games                                      **Never logged in**
ftp                                        **Never logged in**
nobody                                     **Never logged in**
dbus                                       **Never logged in**
systemd-coredump                           **Never logged in**

• 可在/var/log/secure文件中查看登录的日志记录:

# cat /var/log/secure
Aug 25 04:01:00 iZ2zef7ewmnrswnajioq4eZ sshd[285970]: error: kex_exchange_identification: Connection closed by remote host
Aug 25 04:05:04 iZ2zef7ewmnrswnajioq4eZ sshd[287328]: error: kex_exchange_identification: Connection closed by remote host
Aug 25 04:09:07 iZ2zef7ewmnrswnajioq4eZ sshd[288689]: error: kex_exchange_identification: Connection closed by remote host
Aug 25 04:13:07 iZ2zef7ewmnrswnajioq4eZ sshd[290024]: error: kex_exchange_identification: Connection closed by remote host
Aug 25 04:17:04 iZ2zef7ewmnrswnajioq4eZ sshd[291344]: error: kex_exchange_identification: Connection closed by remote host
.......