I maintain a Debian multipurpose server and I'm the sole admin. I execute the lastcommand every time I ssh into the server to check if I recognize every user who have used its service and if they're allowed. I of course made my own custom security modifications to it in order to make it secure over the Internet.
Last night I executed the command and found out that the log had completely been erased and there were no entries of any users on the server. When I run last, there's usually an output of over 15 lines of who used the system but this time there's only one which was myself. I've only started using last for about a few months. I read the man page for it but it didn't say anything about it reseting itself after some x amount of time. Is it possible that my server has been hacked?? The only way to legally access this server is through my own private openvpn server.
lastlogcommand; this doesn't record all login/logout/reboot stuff thatwtmprecords, but it does record the last login time for each user. Note, though, that in both cases a non-interactive login may not show up (ssh remotehost cat myfiledoesn't necessarily count as a login!)