How to monitor SSH login history in Linux

Monitoring SSH login history helps detect unauthorized access, audit legitimate activity, and understand how remote users connect to a server over time. SSH sessions record when a user logged in, from which IP address, and on which virtual terminal, allowing quick analysis after configuration changes or security incidents.

On most Linux distributions, OpenSSH writes login information into binary accounting files such as /var/log/wtmp and /var/log/lastlog, as well as human-readable authentication logs like /var/log/auth.log or /var/log/secure. Commands such as last and lastlog decode these records, while log files provide the low-level detail for each SSH authentication attempt.

Log files rotate regularly, and access to them usually requires root or sudo privileges, so older entries may not always be available and unprivileged accounts may not see every record. SSH login history on a single host also does not replace centralized logging or intrusion detection, and should be combined with off-host log aggregation when stricter compliance or long-term retention is required.

Related: How to monitor active connections to an SSH server
Related: How to manage failed login attempts in SSH
Related: How to show failed SSH attempts

Steps to monitor SSH login history in Linux:

  1. Open a terminal session on the Linux server with privileges to use sudo when needed. 
    $ whoami
user

    The examples use a user named user; substitute the appropriate account name on the server.

  2. Show the most recent login for a specific account using the last command. 
    $ last --limit 1 -i user
user     pts/1        203.0.113.10    Sat Jan 10 12:19 - 12:19  (00:00)

wtmp begins Sat Apr 27 12:34:07 2024

    The columns list the username, terminal, remote IP address, login time, and whether the session is still active.

  3. Review several recent logins to see a short history of SSH access. 
    $ last --limit 5 -i
user     pts/1        203.0.113.10    Sat Jan 10 12:19 - 12:19  (00:00)
user     pts/1        203.0.113.10    Sat Jan 10 12:16 - 12:16  (00:00)
user     tty2         0.0.0.0          Sat Jan 10 12:08    gone - no logout
user     seat0        0.0.0.0          Sat Jan 10 12:08    gone - no logout
user     tty2         0.0.0.0          Thu Jan  8 20:00 - down   (00:00)

wtmp begins Sat Apr 27 12:34:07 2024

    The --limit option restricts how many sessions are shown for all users.

  4. Display the last recorded login for the account using lastlog. 
    $ sudo lastlog -u user
Username         Port     From                                       Latest
user             pts/1    203.0.113.10                               Sat Jan 10 12:19:11 +0800 2026

    lastlog shows only the most recent login per account; accounts that have never logged in display Never logged in in the Latest column.

  5. Inspect authentication logs for SSH-specific entries when a deeper investigation is required. 
    $ sudo grep 'sshd' /var/log/auth.log | tail --lines 20
2026-01-11T05:41:32.739425+08:00 host sshd[14453]: Accepted publickey for user from 203.0.113.10 port 53452 ssh2: ED25519 SHA256:IIzzdAGySOOKuQxCPYvwGG2xQERM5aoWMCcEg1DyK04
2026-01-11T05:41:32.760960+08:00 host sshd[14453]: pam_unix(sshd:session): session closed for user user
##### snipped #####

    On some distributions authentication records are stored in /var/log/secure instead of /var/log/auth.log, and unnecessary read access to these logs can expose sensitive details such as usernames and source IP addresses.

  6. Initiate a fresh SSH login from another client using the monitored account. 
    $ ssh user@host.example.net
  7. Confirm that the new SSH activity is recorded by repeating the last query for the account. 
    $ last --limit 1 -i user
user     pts/1        203.0.113.10    Sat Jan 10 12:19 - 12:19  (00:00)