linux-logins
Parses the /var/log/wtmp file to query the terminal login and logout history on a Linux system. Returns the user, source IP, terminal, and login/logout times for each login session as structured fields.
Command properties
| Property | Value |
|---|---|
| Command type | Driver query |
| Required permission | Administrator |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Login time. Same value as the login_time field. |
src_ip | ipaddr | Source IP address. Returns null for local logins. |
host | string | Source hostname (IP address or domain). Returns null if the value is empty. |
pid | integer | Login process ID |
user | string | Logged-in username |
tty | string | Terminal device name (e.g., pts/0, tty1) |
login_time | timestamp | Login time |
logout_time | timestamp | Logout time. Returns null if still logged in or if no logout record exists. |
Error codes
Parsing errors
| Error code | Message | Description |
|---|---|---|
| 95040 | no-read-permission | Executed without administrator privileges |
Runtime errors
| Error code | Message | Description | Action on error |
|---|---|---|---|
| - | - | The /var/log/wtmp file could not be read | Aborts query execution |
Description
The linux-logins command parses the /var/log/wtmp file in binary format to extract the terminal login history. It recognizes UserProcess type records in the wtmp file as logins, and assigns the time of the next DeadProcess record on the same terminal as the logout time. If a new login occurs on the same terminal before the previous session logs out, the logout_time of the previous session is set to null.
The _time field is assigned the same value as login_time to enable time-based queries.
Examples
-
Query all login history
linux-loginsQueries all terminal login history on the system.
-
Filter only remote access history
linux-logins | search isnotnull(src_ip)Filters only login history from remote connections.
-
Query login history for a specific user
linux-logins | search user == "root"Queries only the login history of the
rootuser. -
Query currently active sessions
linux-logins | search isnull(logout_time)Queries sessions with no logout time, i.e., sessions that are currently active.