topic Re: Event logs including info about system and users activities in Operating System - HP-UX

Event logs including info about system and users activities

Ali KEMAL — Mon, 20 Apr 2009 21:45:24 GMT

Hi,

I want to know about when a user logged in system, Which IP was used by user, What kind of commands were used by user, Which processes were run by user etc.

So How can reach this information, where are the log files including those information?

Can anybody show me the related log file path?
Thanks,
Ali Kemal.

Re: Event logs including info about system and users activities

Dennis Handly — Tue, 21 Apr 2009 03:10:24 GMT

For login/logouts and IP, you can use last(1).

For the commands and processes, you must enable auditing.
You might be able to look at some of their shell history file but that's not accurate.

Re: Event logs including info about system and users activities

Hakki Aydin Ucar — Tue, 21 Apr 2009 10:13:09 GMT

in terms of command you can use:

more /home/user/.sh_history file

but no time stamp in there.

Re: Event logs including info about system and users activities

OldSchool — Tue, 21 Apr 2009 15:46:31 GMT

and if you really need to catch everything a user does, you'll need to look at a commercial application. Something like Symark's PowerBroker can do the logging. Don't know how much it runs, but it's probably not cheap.

Re: Event logs including info about system and users activities

avizen9 — Wed, 22 Apr 2009 01:06:02 GMT

Hi,
if you want to enabled more logs can convert your system in trusted system,

you may get more help from hp documents for this.

http://www.docs.hp.com/en/B2355-90121/ch01s07.html

Re: Event logs including info about system and users activities

Ali KEMAL — Tue, 28 Apr 2009 23:23:27 GMT

Hi,

Dennis, I couldn't see IP info but login/logout info are OK. How is it possible to see IP information also?

Hakki, the file ".sh_history" is a little useful as you said. How can I see the user actions with time stamp as I told?

Is there any method on system?
Thanks a lot,
Ali KEMAL.

Re: Event logs including info about system and users activities

Bill Hassell — Wed, 29 Apr 2009 00:40:02 GMT

> I couldn't see IP info but login/logout info are OK. How is it possible to see IP information also?

THe man page is very helpful. Use the commands:

last -R -100
(to list the last 100 logins with IP address)

last -R -20 billh
(to list the last 20 logins for billh)

> the file ".sh_history" is a little useful as you said. How can I see the user actions with time stamp as I told?

The .sh_history is created by the shell (sh, ksh, etc) but has no option to add a timestamp. You could write a script to append a timestamp at the end of the file every few hours, but this can make the shell history recall a bit unpredictable.

Re: Event logs including info about system and users activities

Ali KEMAL — Wed, 29 Apr 2009 09:20:34 GMT

Hi,

I could not see the new records on a server after using "last -R -100". What might happen?

After "last -R -20 -f /var/adm/wtmp" output,
I see that the last record is "Apr 20".
I couldn' see even the last record on the file by "last -R -100". And there are no new records on the file after that date.

What is the problem? Is it working the logging system?
Thanks,
Ali KEMAL.

Re: Event logs including info about system and users activities

Dennis Handly — Wed, 29 Apr 2009 14:30:24 GMT

>I could not see the new records on a server after using "last -R -100". What might happen?

Since last(1) reverses the order, which direction did you mean by "new records"?
Did you mean there are no entries for Apr 21 and later in time?

>After "last -R -20 -f /var/adm/wtmp" output, I see that the last record is "Apr 20". I couldn't see even the last record on the file by "last -R -100". And there are no new records on the file after that date.

You're saying last(1) indicates nobody has logged on since Apr 20?
How big is the file? It could have been corrupted on april 20?

Re: Event logs including info about system and users activities

Ali KEMAL — Thu, 30 Apr 2009 09:23:24 GMT

>Since last(1) reverses the order, which direction did you mean by "new records"?
Did you mean there are no entries for Apr 21 and later in time?

I use the same command on the other servers, no problem. And yes, no entries for Apr 21 and later in time?

And, as I said, When I use "last" I could not see the entry "Apr 20" which exist in the file "wtmp".

>You're saying last(1) indicates nobody has logged on since Apr 20?
How big is the file? It could have been corrupted on april 20?

Yes, I am saying exactly what you said.
wtmp 94000 and wtmps ~2147483000
So, If it is corrupted, how can i solve this?

NOTE: I can get the correct info from the command "lastb".

Thanks,
Ali KEMAL.

Re: Event logs including info about system and users activities

Hakki Aydin Ucar — Sat, 02 May 2009 17:58:59 GMT

Ali Kemal

Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts.

Re: Event logs including info about system and users activities

Hakki Aydin Ucar — Sat, 02 May 2009 18:02:55 GMT

and if your wtmp(s) file is corrupted ,
you need to restore from last good available backup if you got.

Re: Event logs including info about system and users activities

Dennis Handly — Sun, 03 May 2009 02:45:16 GMT

>I use the same command on the other servers, no problem.

wtmps is a data file so it doesn't matter that happens on other systems. How large is it on the others? You may have to fix them too.

>wtmps ~2147483000

Do you have largefiles enabled for /var? You really shouldn't let it grow this big.

>If it is corrupted, how can I solve this?

You truncate the file with:
> /var/adm/wtmps

>I can get the correct info from the command "lastb".

No, you should get no info from lastb(1) because nobody should be using bad passwords. :-)

Re: Event logs including info about system and users activities

Ali KEMAL — Wed, 06 May 2009 23:23:00 GMT

Hi,

1) If I understand corectly, it is enough to truncate the corrupted file to solve the problem. And I should randomly delete some content of the file, is it right?

2) Should I do the same deletion for wtmp and wtmps?

3) I see the difference between "last" and "lastb". I just check the command "lastb" for bad login attempts.

Thanks,
Ali KEMAL.

Re: Event logs including info about system and users activities

Dennis Handly — Thu, 07 May 2009 01:59:33 GMT

>1) it is enough to truncate the corrupted file to solve the problem. And I should randomly delete some content of the file, is it right?

Yes, unless you want to keep some content.
No need to "randomly delete".

>2) Should I do the same deletion for wtmp and wtmps?

No, only the bad file, wtmps.
(What OS version are you using?)

Re: Event logs including info about system and users activities

Ali KEMAL — Fri, 08 May 2009 07:53:39 GMT

Hi,

--Yes, unless you want to keep some content.
No need to "randomly delete".

Which content should I delete or not delete?
Is there any risk when I do something wrong with the file?

--No, only the bad file, wtmps.
(What OS version are you using?)

HP-UX B.11.23 U.

Re: Event logs including info about system and users activities

Dennis Handly — Sat, 09 May 2009 05:35:01 GMT

>Which content should I delete or not delete? Is there any risk when I do something wrong with the file?

You have to decide how much info to keep. If you do something wrong, you just won't have that login info.