Tracking user logins on Linux

$ for user in `ls /home`
> do
>   echo -n "$user: "
>   who /var/log/wtmp | grep "^$user " | wc -l
> done
brie: 0
dumdum: 0
fedora: 124
george: 1
justme: 0
lola: 19
newuser: 0
shs: 90

To get an idea how old the wtmp file is, you can run a command like this one that displays the first (and, thus, oldest) line in the file.

$ who /var/log/wtmp | head -1
shs      pts/3        2024-04-02 16:24 (192.168.0.11)

You will also see the start date of the wtmp file when you run a command like this one where that information is tacked on at the end of the output.

$ last george
george   pts/2        192.168.0.8      Tue Jul 30 15:32 - 15:32  (00:00)

wtmp begins Tue Apr  2 16:24:11 2024

The ac command

The ac command reports on user connect time, and it has a number of other useful options as well.

Use the -d option to view daily login totals as in this example:

$ ac -d | tail -5
Aug 27  total      222.68
Sep  7  total        4.60
Sep 10  total        1.85
Sep 13  total       18.43
Today   total       26.73

For user totals, use the -p option:

$ ac -p
        lola                                 5.07
        george                               0.01
        fedora                             915.42
        shs                                124.67
        total     1045.17

The lslogins command

The lslogins command will display data on system and user accounts. Since most system accounts never log in, you will see a lot of lines without data in the LAST-LOGIN column.