https://community.hpe.com/t5/operating-system-hp-ux/is-there-a-log-file/m-p/2800802#M941736 Hi,<BR /><BR />I would do the following<BR /><BR />-Get the time coordinates of the incident<BR />-Use "last" command to find out the users that logged in during those time limits.<BR />-Verify the .sh_history of each of the user.<BR /><BR />There is no 100% guarantee that you will get 100% information with the above.<BR /><BR />-Sri Thu, 05 Sep 2002 19:42:02 GMT Sridhar Bhaskarla 2002-09-05T19:42:02Z https://community.hpe.com/t5/operating-system-hp-ux/is-there-a-log-file/m-p/2800799#M941733 I am trying to find who stoped some processes in my server. <BR />I would like to pull information of who was in my server and what commands where used at a specific date and time. <BR />Is there a LOG file that I could pull up and get this information.<BR /><BR />Thank you in advanced Thu, 05 Sep 2002 19:14:58 GMT https://community.hpe.com/t5/operating-system-hp-ux/is-there-a-log-file/m-p/2800799#M941733 Onan Coca_1 2002-09-05T19:14:58Z https://community.hpe.com/t5/operating-system-hp-ux/is-there-a-log-file/m-p/2800800#M941734 You may be able to get some level of details but definately not to the extent of exact time unless your have accounting or auditing turned on on your machine. First use "last" command to find out who has been logging onto the server. Also take a look at /var/adm/syslog/syslog.log to find out where the connection is coming from. Once you have some idea who the suspected user is, you would then check if that user has HISTFILE setup in his/her .profile, if yes you can look at ~/.sh_history of that user. Still if the user is smart, the command trace can be deleted. Hope this helps a little .. Thu, 05 Sep 2002 19:32:37 GMT https://community.hpe.com/t5/operating-system-hp-ux/is-there-a-log-file/m-p/2800800#M941734 S.K. Chan 2002-09-05T19:32:37Z https://community.hpe.com/t5/operating-system-hp-ux/is-there-a-log-file/m-p/2800801#M941735 <BR />Are you sure "someone" stopped them or could they have just terminated? Could have the applications aborted? maybe they terminated on their own? And then again, maybe a user terminated them? Or maybe another process terminated them?<BR /><BR />It's funny how we react to incidents AFTER they occur, instead of being PRO-active and eliminating users from having SHELL access in the first place. Therefore I'll suggest you take the first approach, remove shell access from your users.<BR /><BR />live free or die<BR />harry Thu, 05 Sep 2002 19:39:36 GMT https://community.hpe.com/t5/operating-system-hp-ux/is-there-a-log-file/m-p/2800801#M941735 harry d brown jr 2002-09-05T19:39:36Z https://community.hpe.com/t5/operating-system-hp-ux/is-there-a-log-file/m-p/2800802#M941736 Hi,<BR /><BR />I would do the following<BR /><BR />-Get the time coordinates of the incident<BR />-Use "last" command to find out the users that logged in during those time limits.<BR />-Verify the .sh_history of each of the user.<BR /><BR />There is no 100% guarantee that you will get 100% information with the above.<BR /><BR />-Sri Thu, 05 Sep 2002 19:42:02 GMT https://community.hpe.com/t5/operating-system-hp-ux/is-there-a-log-file/m-p/2800802#M941736 Sridhar Bhaskarla 2002-09-05T19:42:02Z https://community.hpe.com/t5/operating-system-hp-ux/is-there-a-log-file/m-p/2800803#M941737 If this is an Oracle database, you would be able to see some of this information in the audit trails. This is normally found under $ORACLE_HOME/rdbms/audit, and would be listed by time. <BR /><BR />Brian Fri, 06 Sep 2002 02:04:13 GMT https://community.hpe.com/t5/operating-system-hp-ux/is-there-a-log-file/m-p/2800803#M941737 Brian Crabtree 2002-09-06T02:04:13Z