Skip to Content

User log showing different dates

770  Jisna Joseph March 4, 2025  FAQ

Why the user logs are showing two different dates?

Overview: This article explains reason behind SSH logs displaying two different dates.

As shown in the screenshot below, the user log for Jake on February 19th was generated on February 20th. These two different dates indicate that one represents the log file creation date, while the other represents the end of the user session. In this example, February 19th is the log file creation date, while February 20th marks the end of the user session.

Step 1(A): Run the below command on the gateway server to display detailed information about the specified log file

root@gateway:~# stat /path/to/log/file

Example: 

root@gateway:~# stat /var/log/ezlogin/full/jake/root~log.eznoc.com~Wed_Feb_19_20:18:41_2025
File: /var/log/ezlogin/full/jake/root~log.eznoc.com~Wed_Feb_19_20:18:41_2025
Size: 700 Blocks: 8 IO Block: 4096 regular file
Device: 8,1 Inode: 663370 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1008/ jake) Gid: ( 1001/ ezuser)
Access: 2025-02-19 20:18:41.458121452 +0530
Modify: 2025-02-20 00:00:04.106094578 +0530
Change: 2025-02-20 00:00:04.106094578 +0530
Birth : 2025-02-19 20:18:41.458121452 +0530

From the above output Birth date indicates the log file creation date

 Alternative method to view detailed information about the specified log file                                                                                                                  

Step 1(B):  You can also run below command on the gateway server to get the log file creation date

root@gateway:~# ls -lt --time=atime <filename>

Example: 

root@gateway:~# ls -lt --time=atime /var/log/ezlogin/full/jake/root~log.eznoc.com~Wed_Feb_19_20:18:41_2025
-rw-r--r-- 1 jake ezuser 700 Feb 19 20:18 /var/log/ezlogin/full/jake/root~log.eznoc.com~Wed_Feb_19_20:18:41_2025

2. How to log all SSH commands with timestamps?

At the moment only the ssh session start time and end time are recorded and not the times when each command is run.  In order to have the timestamps of commands executed in SSH, the easiest method would be add the date in the command prompt in the bash shell as follows.

 Step 2(A): For Ubuntu and Debian, create /etc/bashrc file and add the below line at end of the file.

root@remote_server:~# vi /etc/bashrc

PS1="[\u@\h \D{%Y%m%d-%H:%M:%S}]\$ "

Step 2(B): For the root user, edit the .bashrc file and add the below lines at the end of the file.

root@remote_server:~# vi /root/.bashrc

if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi

An example of a timestamp for a root user in Ubuntu:-

[root@log 20250225-17:12:25]$ uptime
17:12:28 up 19:22, 2 users, load average: 0.07, 0.03, 0.00
[root@log 20250225-17:12:28]$
Not Rated