Check login activity
CASE #1 – Checking “PHYSICAL” login activity. Use these commands
a.) For checking successful login attempts
b.) For checking un-successful login attempts
CASE #2 – Checking the REMOTE login activity.
cat /var/log/secure* | grep i accepted --color
* is to read from the backup logs also omit if you don’t want to see those. This will show ALL successful remote login attempts.
cat /var/log/secure | grep i sshd --color
This will show all successful remote login attempts using SSH.