Zuzia.app logo
Get started
Features
For Whom
How It Works
Reviews
Faq
Pricing
Sign up Log In

How to Monitor Recent Logins on Linux Server - Complete Guide

Are you wondering how to monitor recent login activity on your Linux server? Need to track user access and detect unauthorized login attempts automatically? This comprehensive guide shows you multiple methods to monitor recent logins, tr...

Last updated: 2025-11-17

How to Monitor Recent Logins on Linux Server - Complete Guide

Are you wondering how to monitor recent login activity on your Linux server? Need to track user access and detect unauthorized login attempts automatically? This comprehensive guide shows you multiple methods to monitor recent logins, track access patterns, detect suspicious activity, and maintain security compliance on your Linux server.

Why Monitoring Recent Logins Matters

Monitoring recent login activity on your Linux server is critical for security, compliance, and incident response. Unauthorized logins can indicate security breaches, compromised accounts, or insider threats. Regular login monitoring helps detect suspicious access patterns, maintain audit trails, investigate security incidents, and ensure compliance with security policies.

Method 1: Check Recent Logins with last Command

The last command displays a list of recent login sessions, showing who logged in, when, from where, and how long they stayed. This is the most common way to check login history on Linux.

Show Recent Logins

To see recent login activity:

# Show last 10 logins
last -n 10

# Show last 20 logins
last -n 20

# Show all logins (may be long)
last

Show Logins for Specific User

To check login history for a specific user:

# Show logins for specific user
last username

# Show logins for root user
last root

# Show logins for multiple users
last user1 user2

Show Currently Logged In Users

To see who is currently logged in:

# Show currently logged in users
who

# Show detailed information
who -a

# Show users with login times
w

Method 2: Check Login Logs Directly

Linux stores login information in various log files. Checking these logs provides detailed information about login attempts.

Check auth.log (Debian/Ubuntu)

# Show recent authentication attempts
sudo tail -50 /var/log/auth.log

# Show successful logins
sudo grep "Accepted" /var/log/auth.log | tail -20

# Show failed login attempts
sudo grep "Failed" /var/log/auth.log | tail -20

Check secure (CentOS/RHEL)

# Show recent authentication attempts
sudo tail -50 /var/log/secure

# Show successful logins
sudo grep "Accepted" /var/log/secure | tail -20

# Show failed login attempts
sudo grep "Failed" /var/log/secure | tail -20

Check lastlog

# Show last login for all users
lastlog

# Show last login for specific user
lastlog -u username

Method 3: Automated Login Monitoring with Zuzia.app

Manually checking login history works for occasional audits, but for production servers, you need automated monitoring that alerts you immediately when suspicious logins occur. Zuzia.app provides comprehensive login monitoring through scheduled command execution.

Setting Up Automated Login Monitoring

  1. Add Scheduled Task in Zuzia.app Dashboard

    • Navigate to your server in Zuzia.app
    • Click "Add Scheduled Task"
    • Choose "Command Execution" as the task type

  2. Configure Login Check Command

    • Enter command: last -n 10
    • Set execution frequency: Every hour or every few hours
    • Configure alert conditions: Alert when unexpected logins occur
    • Set up filtering for specific users or IP addresses

  3. Set Up Notifications

    • Choose notification channels (email, webhook, Slack, etc.)
    • Configure alert thresholds (e.g., alert if root login detected)
    • Set up escalation rules for suspicious logins
    • Configure alerts for failed login attempts

Monitor Failed Login Attempts

For security, monitor failed login attempts:

# Check failed login attempts
sudo grep "Failed password" /var/log/auth.log | tail -20

# Count failed login attempts
sudo grep "Failed password" /var/log/auth.log | wc -l

# Show failed logins by IP
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn

Monitor Root Logins

Root logins should be monitored closely:

# Check root logins
last root

# Check root logins from logs
sudo grep "root" /var/log/auth.log | grep "Accepted"

Zuzia.app stores all command outputs in its database, allowing you to track login patterns over time and identify suspicious access patterns.

Method 4: Advanced Login Monitoring Techniques

Track Login Patterns Over Time

To identify patterns in login activity:

# Save current login list
last -n 20 > /tmp/logins-$(date +%Y%m%d-%H%M%S).txt

# Compare with previous snapshot
diff /tmp/logins-old.txt /tmp/logins-new.txt

# Find new logins
comm -13 <(sort /tmp/logins-old.txt) <(sort <(last -n 20))

Detect Login Anomalies

To identify unusual login patterns:

# Show logins from unusual hours (outside 8 AM - 6 PM)
last | awk '{print $7}' | grep -vE "08:|09:|10:|11:|12:|13:|14:|15:|16:|17:|18:"

# Show logins from unusual IP addresses
last | awk '{print $3}' | grep -E "^[0-9]" | sort | uniq

Monitor SSH Logins

For SSH-specific monitoring:

# Show SSH logins
sudo grep "sshd" /var/log/auth.log | grep "Accepted"

# Show SSH login attempts
sudo grep "sshd" /var/log/auth.log | tail -50

Real-World Use Cases for Login Monitoring

Security Audit

For security audits:

# Generate login report
last -n 50 > login-audit-$(date +%Y%m%d).txt

# Check for root logins
last root > root-logins-$(date +%Y%m%d).txt

# Check failed login attempts
sudo grep "Failed" /var/log/auth.log > failed-logins-$(date +%Y%m%d).txt

Incident Investigation

When investigating security incidents:

# Check logins during specific time period
last -s "2024-01-01 00:00:00" -t "2024-01-01 23:59:59"

# Check logins from specific IP
last | grep "192.168.1.100"

# Check logins for specific user
last username | head -20

Compliance Monitoring

For compliance requirements:

# Generate compliance report
last -n 100 > compliance-report-$(date +%Y%m%d).txt

# Check for unauthorized access
last | grep -vE "authorized-user1|authorized-user2"

Best Practices for Login Monitoring

1. Monitor Logins Regularly

Check login history every hour or every few hours. This allows you to detect unauthorized access quickly while not generating excessive alerts. Use Zuzia.app automated monitoring to check logins continuously without manual intervention.

2. Monitor Failed Login Attempts

Failed login attempts can indicate brute force attacks. Monitor failed logins and alert when thresholds are exceeded.

3. Track Root Logins

Root logins should be monitored closely. Alert on all root logins and verify they are authorized.

4. Monitor Unusual Patterns

Set up alerts for logins from unusual IP addresses, unusual times, or unusual locations.

5. Maintain Audit Trails

Keep login logs for compliance and investigation purposes. Use Zuzia.app to store login history in its database.

Troubleshooting Common Login Monitoring Issues

Login History Not Showing

If login history isn't showing:

# Check if utmp/wtmp files exist
ls -la /var/log/wtmp /var/run/utmp

# Check lastlog
lastlog

# Check auth logs
sudo tail -50 /var/log/auth.log

Too Many Login Entries

If there are too many login entries:

# Limit output
last -n 20

# Filter by user
last username

# Filter by time
last -s "2024-01-01"

FAQ: Common Questions About Monitoring Recent Logins

How often should I check login history?

We recommend checking login history every hour or every few hours. This allows you to detect unauthorized access quickly while not generating excessive alerts. Use Zuzia.app automated monitoring to check logins continuously without manual intervention.

What if unexpected logins are detected?

You'll receive notifications when login activity is detected through Zuzia.app. You can then investigate whether logins are authorized or indicate a security concern. Check the login details, verify with users, and take appropriate security actions if unauthorized access is confirmed.

Can I see login IP addresses?

Yes, the last command shows IP addresses for remote logins, which can help identify the source of access attempts. Use last | awk '{print $3}' to extract IP addresses and analyze login sources.

How do I detect unauthorized logins?

Set up automated monitoring in Zuzia.app that compares current logins with expected patterns. Alert on logins from unusual IP addresses, unusual times, or for users who shouldn't have access. Monitor failed login attempts as they can indicate brute force attacks.

Can I track login patterns over time?

Yes, use Zuzia.app to store login history in its database. This allows you to track login patterns over time, identify trends, and detect anomalies. Compare current logins with historical patterns to identify unusual activity.

How can I monitor logins across multiple servers?

Zuzia.app allows you to add multiple servers and monitor login activity across all of them simultaneously. Each server executes commands independently, and all results are stored in Zuzia.app's database for centralized monitoring and analysis.

Does Zuzia.app use AI to analyze login patterns?

Yes, if you have Zuzia.app's full package, AI analysis is enabled. The AI can detect patterns in login activity, identify suspicious access patterns, predict potential security threats, and suggest security improvements based on historical login data and machine learning algorithms.

Related Articles

How to Monitor System Users on Linux Server - Complete Guide to User Access Security Monitoring
How to Check Active SSH Connections on Linux Server - Complete Guide
How to Check Logged In Users on Linux Server - Complete Guide to User Session Security Monitoring
How to Monitor Failed SSH Login Attempts on Linux Server - Complete Guide to SSH Security Monitoring
How to Monitor Firewall Rules with iptables on Linux Server - Complete Security Monitoring Guide
How to Monitor Network Connections on Linux Server - Complete Guide to Network Connection Security Monitoring

We use cookies to ensure the proper functioning of our website.