diff --git a/auth-log/.gitignore b/auth-log/.gitignore
new file mode 100644
index 0000000..d6b7ef3
--- /dev/null
+++ b/auth-log/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/bin/check_last_login.sh b/bin/check_last_login.sh
index c4a420d..8625b4d 100755
--- a/bin/check_last_login.sh
+++ b/bin/check_last_login.sh
@@ -20,6 +20,8 @@ delete_accounts="";
 user_group_tpl="deluser %s %s;adduser %s %s;";
 # log base folder
 LOG="${BASE_FOLDER}/../log";
+# auth log file user;date from collect_login_data script
+AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
 
 if [ $(whoami) != "root" ]; then
 	echo "Script must be run as root user";
@@ -54,22 +56,39 @@ for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/
 		home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
 		user_create_date=$(stat -c %Z "${home_dir}");
 	fi;
+
+	# below only works if the user logged in, a lot of them are just file upload
+	# users. Use the collect script from systemd-logind or /var/log/secure
 	# Username         Port     From             Latest
 	# user             pts/35   10.110.160.230   Wed Nov  2 09:40:35 +0900 2022
 	last_login_string=$(lastlog -u ${user} | sed 1d);
 	search="Never logged in";
-	# if we have "** Never logged in**" the user never logged in
-	if [ ! -z "${last_login_string##*$search*}" ]; then
+	found="";
+	# problem with running rep check in if
+	if [ -f "${AUTH_LOG}" ]; then
+		found=$(grep "${user};" "${AUTH_LOG}");
+	fi;
+	if [ ! -z "${found}" ]; then
+		last_login_date=$(grep "${user};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
+		last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
+		if [ ${last_login} -gt ${max_age_login} ]; then
+			out_string="[!] last ssh log in ${last_login} days ago";
+			delete_user=1;
+		else
+			out_string="OK [ssh]";
+		fi;
+	elif [ ! -z "${last_login_string##*$search*}" ]; then
+		# if we have "** Never logged in**" the user never logged in
 		# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
 		# awk '{for(i=4;i<=NF;++i)printf $i FS}'
 		last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
 		# date -d "Wed Nov  2 09:40:35 +0900 2022" +%s
 		last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
 		if [ ${last_login} -gt ${max_age_login} ]; then
-			out_string="[!] last logged in ${last_login} days ago";
+			out_string="[!] last terminal log in ${last_login} days ago";
 			delete_user=1;
 		else
-			out_string="OK";
+			out_string="OK [lastlog]";
 		fi;
 	elif [ ! -z "${user_create_date}" ]; then
 		user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
@@ -81,7 +100,7 @@ for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/
 			out_string="[!] Never logged in, account created ${account_age} days ago";
 			delete_user=1;
 		else
-			out_string="OK";
+			out_string="OK [first login]";
 		fi;
 	else
 		out_string="[!!!] Never logged in and we have no create date";
diff --git a/bin/collect_login_data.sh b/bin/collect_login_data.sh
new file mode 100755
index 0000000..a78cb12
--- /dev/null
+++ b/bin/collect_login_data.sh
@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+
+# * check we are root
+# if we are not root, bail out
+# if [ $(whoami) != "root" ]; then
+if [[ "$EUID" -ne "0" ]]; then
+	echo "Must be run as root or with sudo command";
+	exit;
+fi;
+
+# base folder
+BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+# auth log file
+AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
+if [ ! -f "${AUTH_LOG}" ]; then
+	touch "${AUTH_LOG}";
+fi;
+# run full log check flag
+RUN_FULL_LOG=0;
+if [ ! -z "${1}" ] && [ "${1}" = "FULL" ]; then
+	echo "[!!!] Run through all log files to collect data";
+	RUN_FULL_LOG=1;
+fi;
+
+# Collector script for login information via journalctl
+# if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log
+readonly init_version=$(/proc/1/exe --version | head -n 1);
+if [ -z "${init_version##*systemd*}" ]; then
+	LOG_TARGET="systemd";
+	# for journalctl
+	START_DATE=$(date +%F -d "1 day ago");
+	END_DATE=$(date +%F);
+	START_YEAR=$(date +%Y -d "1 day ago");
+	OPT_START_DATE='';
+	if [ $RUN_FULL_LOG -eq 0 ]; then
+		OPT_START_DATE="-S ${START_DATE}";
+		OPT_END_DATE="-U ${END_DATE}";
+	fi;
+	journalctl -u systemd-logind --no-pager ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" |
+	while read line; do
+		# # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user.
+		# date: 5 chars
+		# time: 8 chars
+		# hostname
+		# systemd-logind pid ...
+		# " of user <username>"
+		# we want date + time + username
+		# prefix year with start date year
+
+		# echo "L: $line";
+
+		# do we have a key entry, if not add new with last log date
+		# clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS
+		# auth_date=$(echo "${line}" | cut -c 1-15 | date +"%F %T" -f -);
+		# auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15)) | date +"%F %T" -f -;
+		auth_date=$(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15);
+		auth_date=$(echo "${auth_date}" | date +"%F %T" -f -);
+		# auth user has . at the end, remove that one
+		auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1);
+
+		# echo -n "USER: $auth_user | DATE: $auth_date";
+
+		# find auth user in current auth file
+		# if not there attach, else replace date only
+		found=$(grep "${auth_user};" "${AUTH_LOG}");
+		if [ -z "${found}" ]; then
+			# echo -n " | Write new";
+			echo "${auth_user};${auth_date}" >> "${AUTH_LOG}";
+		else
+			# echo -n " | Replace old";
+			sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}";
+		fi;
+		# echo " [***]";
+	done;
+else
+	LOG_TARGET="syslog";
+	# for secure/auth log
+	START_DATE=$(date +"%b %e" -d "1 day ago")
+	cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" |
+	while read line; do
+		# Nov 21 14:15:56 some.hostname.com sshd[12345]: pam_unix(sshd:session): session opened for user some-user(uid=6789) by (uid=0)
+		auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15) | date +"%F %T" -f -);
+		auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1);
+		# find auth user in current auth file
+		# if not there attach, else replace date only
+		if [ -z grep "${auth_user}" "${AUTH_LOG}" ]; then
+			cat "${auth_user};${auth_date}"  >> "${AUTH_LOG}";
+		else
+			sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}";
+		fi;
+	done;
+fi;
+
+# __END__