How to Monitor User Login Activity
Monitor user login activity on Linux servers. Track user logins, monitor authentication events, detect suspicious logins, and set up automated login activity monitoring with Zuzia.app.
How to Monitor User Login Activity
Need to monitor user login activity on your Linux server? Want to track user logins, monitor authentication events, and detect suspicious login patterns? This guide shows you how to monitor user login activity using built-in commands and automated monitoring with Zuzia.app.
For comprehensive user activity monitoring strategies, see User Activity and Authentication Logs Monitoring Guide. For troubleshooting authentication issues, see User Authentication Failures.
Why Monitoring Login Activity Matters
User login activity indicates who accesses your server and when. When unauthorized logins occur or suspicious patterns are detected, security breaches can result, data can be compromised, and system integrity can be threatened. Monitoring login activity helps you detect unauthorized access, track user behavior, identify security threats, and maintain system security.
Method 1: View Login History
View login history to see who logged in and when:
Check Recent Logins
# View recent logins
last
# View recent logins for specific user
last username
# View failed login attempts
lastb
# View current logged-in users
who
Monitor Login Activity
# View detailed login information
w
# View login activity by user
lastlog
# Check login history with timestamps
last -F
# View login activity for today
last | grep "$(date +%b\ %d)"
Method 2: Monitor Authentication Logs
Monitor authentication logs to track login events:
View Authentication Events
# View successful logins
sudo grep "Accepted password" /var/log/auth.log
# View SSH login activity
sudo grep "Accepted" /var/log/auth.log | grep ssh
# View failed login attempts
sudo grep "Failed password" /var/log/auth.log
# View recent authentication events
sudo tail -100 /var/log/auth.log | grep -i "auth\|login"
Track Login Patterns
# Count logins by user
last | awk '{print $1}' | sort | uniq -c | sort -rn
# View logins by IP address
last | awk '{print $3}' | sort | uniq -c | sort -rn
# Check login frequency
last | awk '{print $1, $4, $5, $6}' | sort | uniq -c
Method 3: Detect Suspicious Login Activity
Detect suspicious login activity to identify security threats:
Identify Failed Login Attempts
# Count failed login attempts by IP
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn
# Count failed attempts by user
sudo grep "Failed password" /var/log/auth.log | awk '{print $9}' | sort | uniq -c | sort -rn
# View failed attempts in last hour
sudo grep "Failed password" /var/log/auth.log | grep "$(date +%b\ %d\ %H)"
# Identify brute force attempts
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | awk '$1 > 10'
Detect Unusual Login Patterns
# View logins from unusual locations
sudo grep "Accepted" /var/log/auth.log | awk '{print $11}' | sort | uniq
# Check for logins outside business hours
sudo grep "Accepted" /var/log/auth.log | awk '{if ($3 > "22:00" || $3 < "06:00") print}'
# View multiple failed attempts
sudo grep "Failed password" /var/log/auth.log | awk '{print $9, $11}' | sort | uniq -c | sort -rn
Method 4: Automated Login Activity Monitoring with Zuzia.app
While manual login activity checks work for audits, production Linux servers require automated login activity monitoring that continuously tracks logins, detects suspicious patterns, and alerts you when unauthorized access occurs.
How Zuzia.app Login Activity Monitoring Works
Zuzia.app automatically monitors user login activity through scheduled command execution and log analysis. The platform checks authentication logs, tracks login events, detects suspicious patterns, and sends alerts when unauthorized access is detected.
Setting Up Login Activity Monitoring
-
Add Scheduled Task for Failed Login Monitoring
- Command:
sudo grep "Failed password" /var/log/auth.log | tail -20 - Frequency: Every 5 minutes
- Alert when: Failed attempts exceed threshold
- Command:
-
Configure Suspicious Activity Detection
- Command:
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | awk '$1 > 10' - Frequency: Every 10 minutes
- Alert when: Multiple failed attempts from same IP
- Command:
-
Set Up Login Monitoring
- Command:
sudo grep "Accepted" /var/log/auth.log | tail -10 - Frequency: Every 15 minutes
- Alert when: Logins from unusual locations or times
- Command:
Custom Login Activity Monitoring Commands
Add these commands as scheduled tasks:
# Check failed login attempts
sudo grep "Failed password" /var/log/auth.log | tail -20
# Monitor successful logins
sudo grep "Accepted" /var/log/auth.log | tail -10
# Check for suspicious activity
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | awk '$1 > 10'
# View current logged-in users
who
Best Practices
1. Monitor Login Activity Continuously
Use Zuzia.app for continuous login activity monitoring. Set up alerts before security incidents occur. Review login logs regularly.
2. Set Appropriate Alert Thresholds
Configure alerts based on normal activity. Warning: 5-10 failed attempts per hour. Critical: 20+ failed attempts per hour.
3. Respond Quickly to Suspicious Activity
Have response procedures ready. Define escalation procedures. Prepare incident response playbooks.
Troubleshooting
Multiple Failed Login Attempts
When multiple failed attempts occur:
- Review authentication logs:
sudo grep "Failed password" /var/log/auth.log | tail -20 - Identify source IP addresses
- Block IPs if necessary:
sudo iptables -A INPUT -s IP_ADDRESS -j DROP
Unauthorized Login Detected
When unauthorized logins are detected:
- Check login history:
last | grep username - Review authentication logs:
sudo grep "Accepted" /var/log/auth.log | grep username - Disable compromised accounts if needed
FAQ
Related guides, recipes, and problems
-
Related guides
-
Related recipes
-
Related problems