Operating System - HP-UX
1748285 Members
4036 Online
108761 Solutions
New Discussion юеВ

Re: Event logs including info about system and users activities

 
SOLVED
Go to solution
Ali KEMAL
Advisor

Event logs including info about system and users activities

Hi,

I want to know about when a user logged in system, Which IP was used by user, What kind of commands were used by user, Which processes were run by user etc.

So How can reach this information, where are the log files including those information?

Can anybody show me the related log file path?
Thanks,
Ali Kemal.
16 REPLIES 16
Dennis Handly
Acclaimed Contributor

Re: Event logs including info about system and users activities

For login/logouts and IP, you can use last(1).

For the commands and processes, you must enable auditing.
You might be able to look at some of their shell history file but that's not accurate.
Hakki Aydin Ucar
Honored Contributor

Re: Event logs including info about system and users activities

in terms of command you can use:

more /home/user/.sh_history file

but no time stamp in there.
OldSchool
Honored Contributor

Re: Event logs including info about system and users activities

and if you really need to catch everything a user does, you'll need to look at a commercial application. Something like Symark's PowerBroker can do the logging. Don't know how much it runs, but it's probably not cheap.
avizen9
Esteemed Contributor

Re: Event logs including info about system and users activities

Hi,
if you want to enabled more logs can convert your system in trusted system,

you may get more help from hp documents for this.

http://www.docs.hp.com/en/B2355-90121/ch01s07.html
Ali KEMAL
Advisor

Re: Event logs including info about system and users activities

Hi,

Dennis, I couldn't see IP info but login/logout info are OK. How is it possible to see IP information also?

Hakki, the file ".sh_history" is a little useful as you said. How can I see the user actions with time stamp as I told?

Is there any method on system?
Thanks a lot,
Ali KEMAL.


Bill Hassell
Honored Contributor
Solution

Re: Event logs including info about system and users activities

> I couldn't see IP info but login/logout info are OK. How is it possible to see IP information also?

THe man page is very helpful. Use the commands:

last -R -100
(to list the last 100 logins with IP address)

last -R -20 billh
(to list the last 20 logins for billh)

> the file ".sh_history" is a little useful as you said. How can I see the user actions with time stamp as I told?

The .sh_history is created by the shell (sh, ksh, etc) but has no option to add a timestamp. You could write a script to append a timestamp at the end of the file every few hours, but this can make the shell history recall a bit unpredictable.


Bill Hassell, sysadmin
Ali KEMAL
Advisor

Re: Event logs including info about system and users activities

Hi,

I could not see the new records on a server after using "last -R -100". What might happen?

After "last -R -20 -f /var/adm/wtmp" output,
I see that the last record is "Apr 20".
I couldn' see even the last record on the file by "last -R -100". And there are no new records on the file after that date.

What is the problem? Is it working the logging system?
Thanks,
Ali KEMAL.



Dennis Handly
Acclaimed Contributor

Re: Event logs including info about system and users activities

>I could not see the new records on a server after using "last -R -100". What might happen?

Since last(1) reverses the order, which direction did you mean by "new records"?
Did you mean there are no entries for Apr 21 and later in time?

>After "last -R -20 -f /var/adm/wtmp" output, I see that the last record is "Apr 20". I couldn't see even the last record on the file by "last -R -100". And there are no new records on the file after that date.

You're saying last(1) indicates nobody has logged on since Apr 20?
How big is the file? It could have been corrupted on april 20?
Ali KEMAL
Advisor

Re: Event logs including info about system and users activities

>Since last(1) reverses the order, which direction did you mean by "new records"?
Did you mean there are no entries for Apr 21 and later in time?

I use the same command on the other servers, no problem. And yes, no entries for Apr 21 and later in time?

And, as I said, When I use "last" I could not see the entry "Apr 20" which exist in the file "wtmp".

>You're saying last(1) indicates nobody has logged on since Apr 20?
How big is the file? It could have been corrupted on april 20?

Yes, I am saying exactly what you said.
wtmp 94000 and wtmps ~2147483000
So, If it is corrupted, how can i solve this?

NOTE: I can get the correct info from the command "lastb".

Thanks,
Ali KEMAL.