All,

Like my title says, is there any way to monitor logins on a Linux box in real time?

I am just learning Linux and have a Linux server I've been tasked with taking care of.

Something we are trying to figure out is how to tell when user(s) log in in real time. I can run 'last' to see all of this information but there must surely be a way to monitor it in real time vs. running the 'last' command or 'who' then searching through the info, right? I was thinking something like tail -F but I can't seem to find much on Google with my limited skill with the OS.

I found a program called 'whowatch' but I'd prefer something I can do with native tools on a Red Hat 6 box as there may be more I will need to do this on in the future.

Many thanks for your suggestions.

tail -f /var/log/secure, probably followed by a grep to only see successful logins (or failed ones, as you prefer).

I'd go with this suggestion, and only look at failed logins, personally. Mainly because (if you have a good number of users), you'll see logins CONSTANTLY. The 'signal-to-noise' ratio there will make it easy to miss something suspicious. Logging only fails will be a shorter list, and let you see potential problems quicker.

For example, if you know user "Joe" is in the office, seeing multiple failed login attempts from the external WAN network is something to take note of. Seeing one or two from the internal LAN, from his workstation, means he probably fat-fingered the password, and is nothing to worry about. Tons of repeated "root" attempts from any address are worth seeing. While you CAN write scripts to do this, I'd suggest using a non-RHEL native tool, such as Nagios or Zabbix, which can watch log files for you, and incorporate any rules you want. Notifications are easier to see/manage, and you get a better comprehensive picture of what's going on.