Linux saves its login log as utmp file, you can read more on wikipedia: https://en.wikipedia.org/wiki/Utmp.
Linux uses ‘/var/log/wtmp’ store its success login log, and ‘/var/log/btmp’ bad trials.
I wrote a page parsing utmp/wtmp/btmp file, and another convert linux last command output to utmp file, this is useful if you want to fake login log.
Here are links:
Parse UTMP file: upload your wtmp, btmp, utmp, and read it field by field.
UTMP file to last output: run commands like last -f xxx.
Generate UTMP File from Linux Output: fake your utmp here!
BTW, you can man utmp on linux to read utmp file format.
Fake Linux Login Log by @sskaje: https://sskaje.me/2017/01/fake-linux-login-log/
Link to this post!