https://community.hpe.com/t5/operating-system-hp-ux/su-logging/m-p/3774972#M262005 Welcome to the wonderful world of account access logging. It's a mess. As you've discovered, su logins are not recorded in wtmp so will not show up in last's output. The only place such logins are recorded in sulog and/or syslog, depending on the configuration. Thu, 20 Apr 2006 12:23:02 GMT Jeff_Traigle 2006-04-20T12:23:02Z https://community.hpe.com/t5/operating-system-hp-ux/su-logging/m-p/3774970#M262003 When a user logs in as themselves, that is a personal user account, we make them 'su' to oracle or other special user accounts. Problem is , when they su to oracle or other accounts, they end up getting reported as a dormant account because they have not logged onto the system in 'x' amount of days. Anyone know why this is happening? The audit keeps hitting oracle and other accounts as 'dormant'.<BR /><BR />Do accounts not show up in the last log if they are initiated by 'su' ??? Thu, 20 Apr 2006 12:13:13 GMT https://community.hpe.com/t5/operating-system-hp-ux/su-logging/m-p/3774970#M262003 Nobody's Hero 2006-04-20T12:13:13Z https://community.hpe.com/t5/operating-system-hp-ux/su-logging/m-p/3774971#M262004 Hi Robert:<BR /><BR />No, 'su' activity is not logged in '/var/adm/wtmp'. Rather, the switch is shown in '/var/adm/sulog'. This makes "sense" since to perform a (s)witch-(u)ser you must already be logged on.<BR /><BR />You can tell the success (+) or failure (-) from the 'sulog' with the positive/negative notation recorded for the action.<BR /><BR />Regards!<BR /><BR />...JRF... Thu, 20 Apr 2006 12:19:47 GMT https://community.hpe.com/t5/operating-system-hp-ux/su-logging/m-p/3774971#M262004 James R. Ferguson 2006-04-20T12:19:47Z https://community.hpe.com/t5/operating-system-hp-ux/su-logging/m-p/3774972#M262005 Welcome to the wonderful world of account access logging. It's a mess. As you've discovered, su logins are not recorded in wtmp so will not show up in last's output. The only place such logins are recorded in sulog and/or syslog, depending on the configuration. Thu, 20 Apr 2006 12:23:02 GMT https://community.hpe.com/t5/operating-system-hp-ux/su-logging/m-p/3774972#M262005 Jeff_Traigle 2006-04-20T12:23:02Z https://community.hpe.com/t5/operating-system-hp-ux/su-logging/m-p/3774973#M262006 Shalom Robert,<BR /><BR />Seems reasonable that with last -R output and the sulog you can write a short awk script and have a very good idea what is going on.<BR /><BR />oracle and other accounts may be dormant if the dba's never log on. Your startup scripts will only leave evidence in the sulog.<BR /><BR />su - oracle -c <STARTUP script=""></STARTUP>run by root. Did Orale log in? not as afar as wtmp is concerned.<BR /><BR />SEP Thu, 20 Apr 2006 13:16:39 GMT https://community.hpe.com/t5/operating-system-hp-ux/su-logging/m-p/3774973#M262006 Steven E. Protter 2006-04-20T13:16:39Z https://community.hpe.com/t5/operating-system-hp-ux/su-logging/m-p/3774974#M262007 If this is a trusted system it might be better to write a script to run through the users doing a getprpw on each user. The slogint field will reflect a sucessful login date event for a su. Of course, this means that root has to be the one to be getting the login dates for the auditors, but at least this can refute the "dormant account" claim. Fri, 21 Apr 2006 05:36:47 GMT https://community.hpe.com/t5/operating-system-hp-ux/su-logging/m-p/3774974#M262007 Tom Henning 2006-04-21T05:36:47Z