Monitoring SSH login history helps detect unauthorized access, audit legitimate activity, and understand how remote users connect to a server over time. SSH sessions record when a user logged in, from which IP address, and on which virtual terminal, allowing quick analysis after configuration changes or security incidents.

On most Linux distributions, OpenSSH writes login information into binary accounting files such as /var/log/wtmp and /var/log/lastlog, as well as human-readable authentication logs like /var/log/auth.log or /var/log/secure. Commands such as last and lastlog decode these records, while log files provide the low-level detail for each SSH authentication attempt.

Log files rotate regularly, and access to them usually requires root or sudo privileges, so older entries may not always be available and unprivileged accounts may not see every record. SSH login history on a single host also does not replace centralized logging or intrusion detection, and should be combined with off-host log aggregation when stricter compliance or long-term retention is required.

Related: How to monitor active connections to an SSH server
Related: How to manage failed login attempts in SSH
Related: How to check failed SSH login attempts

Steps to monitor SSH login history in Linux:

  1. Open a terminal session on the Linux server with privileges to use sudo when needed. 
    $ whoami
user

    The examples use a user named user; substitute the appropriate account name on the server.

  2. Show the most recent login for a specific account using the last command. 
    $ last --limit 1 -i user
user     pts/0        203.0.113.10    Tue Dec 30 00:07 - 00:07  (00:00)

wtmp begins Mon Dec 29 02:40:31 2025

    The columns list the username, terminal, remote IP address, login time, and whether the session is still active.

  3. Review several recent logins to see a short history of SSH access. 
    $ last --limit 5 -i
user     pts/0        203.0.113.10    Tue Dec 30 00:07 - 00:07  (00:00)
user     pts/0        203.0.113.10    Mon Dec 29 22:59 - 22:59  (00:00)
user     pts/0        203.0.113.10    Mon Dec 29 22:18 - 22:18  (00:00)
user     pts/0        203.0.113.10    Mon Dec 29 22:17 - 22:17  (00:00)
user     pts/0        203.0.113.10    Mon Dec 29 22:17 - 22:17  (00:00)

wtmp begins Mon Dec 29 02:40:31 2025

    The --limit option restricts how many sessions are shown for all users.

  4. Display the last recorded login for the account using lastlog. 
    $ sudo lastlog -u user
Username         Port     From                                       Latest
user             pts/0    203.0.113.10                               Tue Dec 30 00:07:34 +0000 2025

    lastlog shows only the most recent login per account; accounts that have never logged in display Never logged in in the Latest column.

  5. Inspect authentication logs for SSH-specific entries when a deeper investigation is required. 
    $ sudo grep 'sshd' /var/log/auth.log | tail --lines 20
2025-12-29T22:48:57.651738+00:00 host sshd[9034]: message repeated 2 times: [ Failed password for user from 203.0.113.10 port 37332 ssh2]
2025-12-30T00:07:34.190942+00:00 host sshd[9493]: Accepted publickey for user from 203.0.113.10 port 43536 ssh2: RSA SHA256:rYSEe35JdJ2VA9gtQtIFNLXwEB03TyBaM2qc+XMytks
##### snipped #####

    On some distributions authentication records are stored in /var/log/secure instead of /var/log/auth.log, and unnecessary read access to these logs can expose sensitive details such as usernames and source IP addresses.

  6. Initiate a fresh SSH login from another client using the monitored account. 
    $ ssh user@host.example.net
  7. Confirm that the new SSH activity is recorded by repeating the last query for the account. 
    $ last --limit 1 -i user
user     pts/0        203.0.113.10    Tue Dec 30 00:07 - 00:07  (00:00)