topic Re: Trace user activity in Operating System - HP-UX

Trace user activity

NDO — Tue, 16 Oct 2018 06:38:19 GMT

I have one billing system that comprises a two server hp-ux serviceguard cluster running oracle rac, and the billing application. But before users log into the billing application, there is a server called F5, running linux, that I beleived does user load balancing (I am not familiar with this), them they go through a web server running windows .

What I would like to know, is how to trace a user/IP that logs into the billing system, because in logs of the actual database servers (/var/adm/syslog/syslog.log) its not possible to view who logged in and out, what IP has connected.

I wonder if it is possible to get this information.

Re: Trace user activity

Bill Hassell — Tue, 16 Oct 2018 21:48:01 GMT

You can see each login/logout with IP address with the last command.
Use it like this:

# last -R -100

You can also see failed logins with the lastb command.

Re: Trace user activity

NDO — Wed, 17 Oct 2018 08:24:07 GMT

I have followed the advice in which I had to run "last -R -100" then I got an error:

last -R -100
Invalid record size. Unable to continue ...

then I try to repair it using the following comands:

/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp

tail /tmp/wtmp
init.css h2 4508 5 0000 0000 1533457331 Aug 5 10:22:11 2018
init.crs h3 4510 5 0000 0000 1533457331 Aug 5 10:22:11 2018
iocdsfd cdsf 4511 5 0000 0000 1533457331 Aug 5 10:22:11 2018
clu_dsf_ cdin 4515 5 0000 0000 1533457331 Aug 5 10:22:11 2018
cimserve cim1 4518 5 0000 0000 1533457331 Aug 5 10:22:11 2018
sh ems3 4523 5 0000 0000 1533457331 Aug 5 10:22:11 2018
sh ems3 4523 8 0000 0000 1533457331 Aug 5 10:22:11 2018
p_client ems4 4533 5 0000 0000 1533457331 Aug 5 10:22:11 2018
icapd icap 4541 5 0000 0000 1533457331 Aug 5 10:22:11 2018
clu_dsf_ cdin 4515 8 0000 0001 1533457397 Aug 5 10:23:17 2018

last -R -100
Invalid record size. Unable to continue ...

/usr/sbin/acct/fwtmp -ic < /tmp/wtmp > /var/adm/wtmp

last -R -100
Invalid record size. Unable to continue ...

Would be fair to say that I have a corrupted data on my wtmp file, so the only option I have is to empty the contents of the file?

Re: Trace user activity

Bill Hassell — Wed, 17 Oct 2018 14:49:32 GMT

Yes, the wtmp file is apparently corrupted, so you'll need to zero out the contents like this:

# cat /dev/null > /var/adm/wtmp

or

# > /var/adm/wtmp

The wtmp (and /var/adm/btmp) files grow without bounds. You'll need regularly trim these files.

Re: Trace user activity

NDO — Thu, 18 Oct 2018 06:51:33 GMT

that cleared files wtmps, btmps and wtmp, but so far those files have not been populated since I cleared them yesterday.

Shouldn´t I have data on them right now?

Re: Trace user activity

Bill Hassell — Fri, 19 Oct 2018 15:11:50 GMT

Did you zero out the existing files or delete them and recreate them?

If recreated, the ownership and permissions must be restored. For 11.31, they should look like this:

-rw------- 1 root other 288 Oct 5 2015 /var/adm/btmp
-rw------- 1 root other 456400 Mar 6 2018 /var/adm/btmps
-rw-rw-r-- 1 adm adm 1368828 Oct 15 12:22 /var/adm/wtmp
-rw-rw-r-- 1 adm adm 22411848 Oct 19 10:48 /var/adm/wtmps
-rw-r--r-- 1 root root 280 Feb 24 2015 /var/adm/wtmpx

Look in ./var/adm/syslog/syslog.log for any messages about logging.

Re: Trace user activity

Dennis Handly — Sun, 21 Oct 2018 02:38:02 GMT

> Would be fair to say that I have a corrupted data on my wtmp file, so the only option I have is to empty the contents of the file?

How valuable is the data in wtmp? If you look at some other posts on wtmp, you might be able to fix it.

https://community.hpe.com/t5/tag/wtmps/tg-p

https://community.hpe.com/t5/tag/fwtmp/tg-p

Re: Trace user activity

NDO — Mon, 22 Oct 2018 05:51:38 GMT

Hi!

what I did was :

cat /dev/null > /var/adm/wtmps
cat /dev/null > /var/adm/wtmp
cat /dev/null > /var/adm/btmps

But the only file not populated is:

/var/adm/wtmp

dbnode0[467]/var/adm #ls -lrt | tail
drwx------   2 root       root            96 Aug  5 10:22 cluster_dsf
-rw-rw-r--   1 root       sys          18660 Aug  5 10:26 ps_data
drwxr-xr-x  12 bin        bin           8192 Aug  5 10:27 cmcluster
-rw-r--r--   1 root       root        297016 Aug  8 18:37 nettl.LOG000
-rw-rw-r--   1 adm        adm              0 Oct 17 17:09 wtmp
drwxr-xr-x   3 root       root          8192 Oct 18 11:13 crash
-rw-------   1 root       other          652 Oct 19 16:21 btmps
-rw-rw-r--   1 adm        adm           3912 Oct 19 16:49 wtmps
-rw-------   1 root       root         22014 Oct 21 17:01 sulog
dr-xr-xr-x   2 bin        bin           8192 Oct 22 07:48 util
dbnode0[468]/var/adm #

Re: Trace user activity

NDO — Mon, 22 Oct 2018 05:57:37 GMT

Thanks for the reply, what I am trying to establish is what IP addresses (os user pc´s) have connected to the system in the month of July 2018, by having a look on the wtmps file

Re: Trace user activity

Dennis Handly — Mon, 22 Oct 2018 18:18:56 GMT

> I am trying to establish is what IP addresses (os user PCs) have connected to the system in the month of July 2018, by having a look on the wtmps file

Do you have a backup of the corrupted file?

Re: Trace user activity

NDO — Tue, 23 Oct 2018 06:40:03 GMT

Yes I do have a backup of the file

Re: Trace user activity

Dennis Handly — Tue, 23 Oct 2018 16:19:24 GMT

Do you have a way to provide it? You can send me a private message about the location.