User login history provides a timeline of account activity, which helps confirm legitimate access, spot suspicious sessions, and reconstruct events during incident response.

Most Linux systems record successful sessions in the binary wtmp database at /var/log/wtmp and failed authentication attempts in /var/log/btmp. The last and lastb utilities read these files to show session start, session end, terminal, and the remote host or IP address.

Login databases are rotated by retention policies, so older history may be split across /var/log/wtmp.1, compressed archives, or removed entirely. Timestamps reflect the system clock and time zone at the time of the event, and the databases can be modified by root, so corroborating anomalies with authentication logs improves confidence.

Related: How to investigate a Linux intrusion
Related: How to review authentication logs in Linux

Steps to check user login history with last and lastb in Linux:

  1. List recent logins for the account. 
    $ last -a user | head -n 6
user     pts/0        Sun Jan 11 08:14 - 08:14  (00:00)     203.0.113.10
user     pts/0        Sun Jan 11 08:12 - 08:12  (00:00)     203.0.113.10

wtmp begins Sat Apr 27 07:58:30 2024

    Replace user with the target account name, and add sudo if /var/log/wtmp is not readable.

  2. Show the same login history with full timestamps for easier correlation. 
    $ last -F -a user | head -n 6
user     pts/0        Sun Jan 11 08:14:02 2026 - Sun Jan 11 08:14:03 2026  (00:00)     203.0.113.10
user     pts/0        Sun Jan 11 08:12:42 2026 - Sun Jan 11 08:12:43 2026  (00:00)     203.0.113.10

wtmp begins Sat Apr 27 07:58:30 2024

    -s and -t filter by time window, and --time-format iso outputs ISO timestamps.

  3. Show current sessions for the account. 
    $ who -u

    who reads the current-session database (usually /run/utmp). Empty output indicates no active sessions for that user.

  4. Display reboot and shutdown entries recorded alongside logins in wtmp. 
    $ last -x | head -n 6
user     pts/0        203.0.113.10     Sun Jan 11 08:14 - 08:14  (00:00)
user     pts/0        203.0.113.10     Sun Jan 11 08:12 - 08:12  (00:00)
runlevel (to lvl 5)   6.8.0-90-generic Sun Jan 11 08:04   still running
reboot   system boot  6.8.0-90-generic Sun Jan 11 08:04   still running
shutdown system down  6.8.0-90-generic Sun Jan 11 08:02 - 08:04  (00:01)
runlevel (to lvl 5)   6.8.0-90-generic Sat Jan 10 12:09 - 08:02  (19:53)

    -x includes system shutdowns and runlevel changes.

  5. List recent failed logins. 
    $ sudo lastb -a user | head -n 6

btmp begins Thu Jan  8 19:27:21 2026

    lastb reads /var/log/btmp and commonly requires sudo.

  6. List rotated wtmp and btmp files to extend history beyond the current logs. 
    $ sudo ls -lh /var/log/wtmp* /var/log/btmp*
-rw-rw---- 1 root utmp    0 Jan  8 19:27 /var/log/btmp
-rw-rw---- 1 root utmp    0 Sep 29 05:00 /var/log/btmp.1
-rw-rw-r-- 1 root utmp 159K Jan 11 08:14 /var/log/wtmp
-rw-r--r-- 1 root root 159K Jan 11 13:39 /var/log/wtmp.1

    Compressed rotations end with .gz and can be decompressed to a temporary file before reading with last -f or lastb -f.

  7. Query a rotated wtmp file for older successful logins. 
    $ sudo last -a -f /var/log/wtmp.1 user | head -n 6
user     pts/0        Sun Jan 11 08:14 - 08:14  (00:00)     203.0.113.10
user     pts/0        Sun Jan 11 08:12 - 08:12  (00:00)     203.0.113.10

wtmp.1 begins Sat Apr 27 07:58:30 2024
  8. Query a rotated btmp file for older failed logins. 
    $ sudo lastb -a -f /var/log/btmp.1 user | head -n 8

btmp.1 begins Thu Jan  8 07:52:12 2026
  9. Check modification times of the login history files before comparing them to other logs. 
    $ sudo stat /var/log/wtmp /var/log/btmp
  File: /var/log/wtmp
  Size: 162800    	Blocks: 328        IO Block: 4096   regular file
Device: 252,0	Inode: 1707159     Links: 1
Access: (0664/-rw-rw-r--)  Uid: (    0/    root)   Gid: (   43/    utmp)
Access: 2026-01-11 13:39:09.042009588 +0800
Modify: 2026-01-11 08:14:03.112000286 +0800
Change: 2026-01-11 08:14:03.112000286 +0800
 Birth: 2024-04-27 07:57:11.477726755 +0800
  File: /var/log/btmp
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: 252,0	Inode: 1704169     Links: 1
Access: (0660/-rw-rw----)  Uid: (    0/    root)   Gid: (   43/    utmp)
Access: 2026-01-11 13:39:53.384009609 +0800
Modify: 2026-01-08 19:27:21.363000002 +0800
Change: 2026-01-08 19:27:21.363000002 +0800
 Birth: 2026-01-08 19:27:21.363000002 +0800

    The Modify time reflects the last write to the database, not the oldest record inside it.

  10. Print the current system time and time zone used for interpreting recorded timestamps. 
    $ date
Sun Jan 11 01:40:38 PM +08 2026
  11. Show the most recent login summary stored for the account in /var/log/lastlog. 
    $ sudo lastlog -u user
Username         Port     From                                       Latest
user             pts/0    203.0.113.10                             Sun Jan 11 08:14:02 +0800 2026