Overview
The purpose of this guide is to help us identify, view or
audit user who logged and logout on the server and performed reboot(s) /
shutdown(s).
We can extract from the report as to when a specific user
logged in and also extract user login or logout information based on exact date
and time.
Applies To
·
Tested on CentOS 7 and RHEL 7
Log Files Insight
Filename
|
Purpose
|
/var/log/wtmp
|
Records historical data of utmp.
|
/var/log/btmp
|
Records only failed login attempts of the server
|
/var/run/utmp
|
Records currently logged in user(s).
|
List Entries – Login and Logout Info
To view all users login and logout information, this
information is extracted from “/var/log/wtmp”
run the command;
last
List Entries – Full Login and Logout Info
To view full login and logout times along with date(s), run
the command below, this will list first 5 entries;
last -F -n 5
List Entries – Shutdown Info
To view shutdown entries and run level changes, run the
command below; this will also list one line above “runlevel” search string, which will give us info about the logged
in user;
last -x | grep -B 1 runlevel
Note: grep -B 1 <search string> – Will print one line above the matching string.
List Entries – User
To view particular user’s entries, run the command;
last root | head -n 5
List Entries – Suppress Hostname
To view particular user’s entries suppressing hostname field, run the command;
last -R root | head -n 5
List Entries – Who Logged at Specific Time
To view user entries who logged to the server at a specific
date and time, run the command below; Date and time should be specified in
format “YYYYMMDDHHMMSS” followed by
username.
last -t 20160720090505
List Entries – User Logged at Specific Time
To view entries who logged to the server at a specific date
and time, run the command below; Date and time should be specified in format “YYYYMMDDHHMMSS”.
last -t 20160720090505 root
List Entries – System Shutdown
To list the entries of when the server was shutdown with
additional information (full), run the command; To extract only the time when
the server was rebooted, run the alternate command.
last -x | grep shutdown | head
-n 1
last -x | grep shutdown | head
-n 1 '{ print $5, $6, $7, $8 }'
List Entries – System Reboots
To list the entries of when the server was rebooted, run the
command;
last reboot
List Entries – System Reboots Full Info
To list the entries of when the server was rebooted with
additional information (full), run the command; To extract only the time when
the server was rebooted, run the alternate command.
last reboot -F | head -n 1
last reboot -F | head -n 1 | awk
'{ print $5, $6, $7, $8, $9 }'
List Entries – Bad Logins Attempts
To list all the bad login attempts on the server, run the
command;
last -b
List Entries – User Still Logged-In
To list the entries who are still logged on the server. Run
the command;
last -f /var/run/utmp
No comments:
Post a Comment