How to parse the Linux past command to screen particular logins



Picture: Jack Wallen

Likelihood are, your knowledge center makes use of Linux equipment. That currently being the situation, you might be going to want to know how to retain tabs on people servers. The moment this kind of area you could want to regularly test is who has logged into a server and when they logged in. Luckily, there’s a developed-in command to choose treatment of that incredibly activity. The command is past and I am going to clearly show you how to make use of it so you can far better comprehend who has logged into your machine and when.

The command

Merely set, the past command displays a listing of the past buyers logged into a process. People also includes reboot, so it truly is truly quick to use this exact command to locate out when a process was rebooted.

Past functions with wtmp to retrieve login tries recorded in the utmp file. Together this makes for an quick to use process to retain tabs on the historical knowledge of who is (and has been) logged into a Linux machine.

The fundamental command past will screen every single login endeavor since wtmp commenced recording (Figure A).

Figure A


Picture: Jack Wallen

Of training course, you do not want to have to scroll as a result of that enormous total of output. To that finish, past delivers a several options to make parsing the output a little bit easier. Past understands the pursuing arguments:

  • YYYYMMDDhhmmss
  • YYYY-MM-DD hh:mm:ss
  • YYYY-MM-DD hh:mm
  • hh:mm:ss
  • Hh:mm
  • yesterday
  • now
  • nowadays
  • tomorrow
  • +Xmin (Wherever X is a constructive selection)
  • -Xdays (Wherever X is a constructive selection)
  • -p – screen the buyers who were existing at the particular time
  • -s – screen the condition of logins since the specified time
  • -t – screen the condition of logins until eventually the specified time


Getting the over arguments, you could locate out who logged in on a particular day like so:

past -p 2017-08-10

The output of that command would clearly show you who (if any individual) logged in on August 10, 2017 (Figure B).

Figure B

Figure B

The two jlwallen and reboot were existing that day.

If you want to look at a assortment of time, that’s attainable as properly, making use of the -s and -t options like so:

past -s -20days -t -10days

The output of the over command will clearly show us who experienced logged in from a assortment of 20 days back up until eventually 10 days back (Figure C). In this situation (managing the command on August 29) that assortment of time would be August 9 as a result of August 19.

Figure C

Figure C

Logins from localhost and two other IP addresses are proven.

What if you want to locate out who logged in from yesterday up until eventually an hour back (from the existing time)? Which is attainable with the command:

past -s yesterday -t -60min

The output from the over command (Figure D) need to be considerably more compact than our earlier command.

Figure D

Figure D

Only one login endeavor, by user jlwallen.

And that’s very significantly how the past command functions.

Preserve it curious

If you might be curious about who is logging into your servers (and you need to be), past is an quick suggests of sating that curiosity on Linux. For additional details about past, make sure to browse as a result of the male website page with the command male past.

Also see


HP Servers Help

Comments are closed.