Unlike the system log files and the authentication log files, all of these files are binary files. So, we can't use our normal text tools, such as less or grep, to read them or extract information from them. Instead, we'll use some special tools that can read these binary files.
The w and who commands pull information about who's logged in and what they're doing from the /var/run/utmp file. Both commands have their own option switches, but you likely won't ever need them. If you just want to see the list of users who are currently logged in, use who like so:
donnie@orangepione:/var/log$ who
donnie tty7 2019-08-02 18:18 (:0)
donnie pts/1 2019-11-21 16:21 (192.168.0.251)
donnie pts/2 2019-11-21 17:01 (192.168.0.251)
katelyn pts/3 2019-11-21 18:15 (192.168.0.11)
lionel pts/4 2019-11-21 18:21 (192.168.0.15)
donnie@orangepione:/var/log$
It shows me with three different logins. The tty7 line is my local terminal session, and the pts/1 and pts/2 lines are my two remote SSH sessions from the 192.168.0.251 machine. Katelyn and Lionel are remotely logged in from two other machines.
The w command shows you not only who's logged in, but also what they're doing:
donnie@orangepione:/var/log$ w
18:29:42 up 2:09, 5 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
donnie tty7 :0 02Aug19 111days 6.28s 0.05s /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
donnie pts/1 192.168.0.251 16:21 4.00s 2.88s 0.05s w
donnie pts/2 192.168.0.251 17:01 7:10 0.81s 0.81s -bash
katelyn pts/3 192.168.0.11 18:15 7:41 0.64s 0.30s vim somefile.txt
lionel pts/4 192.168.0.15 18:21 8:06 0.76s 0.30s sshd: lionel [priv]
donnie@orangepione:/var/log$
This shows five users, but there are really only three since it counts each of my login sessions as a separate user. :0 under the FROM column for my first login means that this login is at the machine's local console. The /bin/sh part shows that I have a terminal window open, and the /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc stuff means that the machine is in graphical mode, with the XFCE desktop. The pts/1 line shows that I've run the w command in that window, and the pts/2 line shows that I'm not doing anything in that window, other than just having the bash shell open.
Next, we see that Katelyn is editing a file. So, I think that she's all good. But look at Lionel. [priv] in his line indicates that he's doing some sort of privileged action. To see what that action is, we'll peek into the authentication file, where we see this:
Nov 21 18:21:42 localhost sudo: lionel : TTY=pts/4 ; PWD=/home/lionel ; USER=root ; COMMAND=/usr/sbin/visudo
Oh, come now. What fool gave Lionel the privileges to use visudo? I mean, we know that Lionel isn't supposed to have that privilege. Well, we can investigate. Further up in the authentication file, we see this:
Nov 21 18:17:53 localhost sudo: donnie : TTY=pts/2 ; PWD=/home/donnie ; USER=root ; COMMAND=/usr/sbin/visudo
This shows that that donnie character opened visudo, but it doesn't show what edits he made to it. But since this line comes soon after the line where donnie created Lionel's account, and no other users have used visudo, it's a safe bet that donnie is the one who gave Lionel that visudo privilege. So, we can surmise that that donnie character is a real loser who deserves to be fired. Oh, wait. That was me again, wasn't it? Okay, never mind.
In normal usage, the last command pulls information from the /var/log/wtmp file, which archives historical data from the /var/run/utmp file. Without any option switches, last shows when each user has logged in or out, and when the machine has been booted:
donnie@orangepione:/var/log$ last
lionel pts/4 192.168.0.15 Thu Nov 21 18:21 still logged in
lionel pts/4 192.168.0.15 Thu Nov 21 18:17 - 18:17 (00:00)
katelyn pts/3 192.168.0.11 Thu Nov 21 18:15 still logged in
katelyn pts/3 192.168.0.251 Thu Nov 21 18:02 - 18:15 (00:12)
donnie pts/2 192.168.0.251 Thu Nov 21 17:01 still logged in
donnie pts/1 192.168.0.251 Thu Nov 21 16:21 still logged in
donnie tty7 :0 Fri Aug 2 18:18 gone - no logout
reboot system boot 4.19.57-sunxi Wed Dec 31 19:00 still running
. . .
wtmp begins Wed Dec 31 19:00:03 1969
donnie@orangepione:/var/log$
To show a list of failed login attempts, use the -f option to read the /var/log/btmp file. The catch is that this requires sudo privileges because we generally want to keep information about failed logins confidential:
donnie@orangepione:/var/log$ sudo last -f /var/log/btmp
[sudo] password for donnie:
katelyn ssh:notty 192.168.0.251 Thu Nov 21 17:57 gone - no logout
katelyn ssh:notty 192.168.0.251 Thu Nov 21 17:57 - 17:57 (00:00)
katelyn ssh:notty 192.168.0.251 Thu Nov 21 17:57 - 17:57 (00:00)
btmp begins Thu Nov 21 17:57:35 2019
donnie@orangepione:/var/log$
Of course, we could see about Katelyn's three failed logins in the auth.log or secure file, but it's handier and quicker to see about them here.
Finally, there's the lastlog command, which pulls information from—you guessed it—the /var/log/lastlog file. This shows a record of all users on the machine, even system users, and when they logged in last:
donnie@orangepione:/var/log$ lastlog
Username Port From Latest
root tty1 Tue Mar 12 15:29:09 -0400 2019
. . .
messagebus **Never logged in**
sshd **Never logged in**
donnie pts/2 192.168.0.251 Thu Nov 21 17:01:03 -0500 2019
sshdnoroot **Never logged in**
. . .
katelyn pts/3 192.168.0.11 Thu Nov 21 18:15:44 -0500 2019
lionel pts/4 192.168.0.15 Thu Nov 21 18:21:33 -0500 2019
donnie@orangepione:/var/log$
There are a lot more logs in the /var/log directory, but I've just given you the quick tour of the logs that pertain to system security. Next, we'll look at the two major logging systems that are built into most Linux distros, starting with the rsyslog system.