1、查看哪个用户、IP、终端、什么时间登陆过服务器
[root@liesys ~]# utmpdump /var/log/wtmp | more
Utmp dump of /var/log/wtmp
[7] [29224] [ts/1] [root ] [pts/1 ] [vm40102 ] [127.0.0.1 ] [Mon Feb 06 15:10:16 2023 CST]
[7] [29257] [ts/2] [root ] [pts/2 ] [vm40102 ] [127.0.0.1 ] [Mon Feb 06 15:10:17 2023 CST]
[8] [29255] [ ] [ ] [pts/2 ] [ ] [0.0.0.0 ] [Mon Feb 06 15:11:38 2023 CST]
[8] [29222] [ ] [ ] [pts/1 ] [ ] [0.0.0.0 ] [Mon Feb 06 15:18:14 2023 CST]
[8] [28795] [ ] [ ] [pts/0 ] [ ] [0.0.0.0 ] [Mon Feb 06 15:28:45 2023 CST]
[7] [12735] [ts/0] [root ] [pts/0 ] [vm40102 ] [127.0.0.1 ] [Mon Feb 06 17:18:55 2023 CST]
[8] [12733] [ ] [ ] [pts/0 ] [ ] [0.0.0.0 ] [Mon Feb 06 17:19:00 2023 CST]
[7] [13191] [ts/0] [root ] [pts/0 ] [vm40102 ] [127.0.0.1 ] [Mon Feb 06 17:19:13 2023 CST]
[8] [13189] [ ] [ ] [pts/0 ] [ ] [0.0.0.0 ] [Mon Feb 06 17:20:21 2023 CST]
[7] [12415] [ts/0] [root ] [pts/0 ] [vm40102 ] [127.0.0.1 ] [Wed Feb 08 15:04:46 2023 CST]
2、查看哪个用户、IP、终端,什么时间登陆过服务器
[root@liesys ~]# who /var/log/wtmp | more
xinsec pts/0 2023-02-01 09:39 (192.168.11.32)
xinsec pts/1 2023-02-01 10:50 (192.168.11.32)
xinsec pts/0 2023-02-01 10:22 (10.80.210.52)
3、查看哪个用户、IP、终端,什么时间登陆过服务器,内容更详细一些
last 指定记录文件,默认是显示/var/log目录下的wtmp文件的记录。
但/var/log目录下的btmp能显示的内容更丰富,可以显示远程登录,例如ssh登录 ,包括失败的登录请求。
[root@liesys ~]# last | more
root pts/2 192.168.30.169 Mon Oct 24 09:36 still logged in
root pts/2 192.168.30.169 Mon Oct 24 09:13 - 09:32 (00:19)
查看当前登陆用户,TTY,登陆地址等信息
[root@liesys ~]# w -i
09:39:07 up 35 days, 46 min, 2 users, load average: 0.43, 0.44, 0.62
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/1 192.168.30.169 09:06 2:35 14:56 0.87s -bash
root pts/2 192.168.30.169 09:36 3.00s 0.09s 0.01s w -i