General
cancel
Showing results for 
Search instead for 
Did you mean: 

Event logs including info about system and users activities

SOLVED
Go to solution
Ali KEMAL
Advisor

Event logs including info about system and users activities

Hi,

I want to know about when a user logged in system, Which IP was used by user, What kind of commands were used by user, Which processes were run by user etc.

So How can reach this information, where are the log files including those information?

Can anybody show me the related log file path?
Thanks,
Ali Kemal.
16 REPLIES
Dennis Handly
Acclaimed Contributor

Re: Event logs including info about system and users activities

For login/logouts and IP, you can use last(1).

For the commands and processes, you must enable auditing.
You might be able to look at some of their shell history file but that's not accurate.
Hakki Aydin Ucar
Honored Contributor

Re: Event logs including info about system and users activities

in terms of command you can use:

more /home/user/.sh_history file

but no time stamp in there.
OldSchool
Honored Contributor

Re: Event logs including info about system and users activities

and if you really need to catch everything a user does, you'll need to look at a commercial application. Something like Symark's PowerBroker can do the logging. Don't know how much it runs, but it's probably not cheap.
avizen9
Esteemed Contributor

Re: Event logs including info about system and users activities

Hi,
if you want to enabled more logs can convert your system in trusted system,

you may get more help from hp documents for this.

http://www.docs.hp.com/en/B2355-90121/ch01s07.html
Ali KEMAL
Advisor

Re: Event logs including info about system and users activities

Hi,

Dennis, I couldn't see IP info but login/logout info are OK. How is it possible to see IP information also?

Hakki, the file ".sh_history" is a little useful as you said. How can I see the user actions with time stamp as I told?

Is there any method on system?
Thanks a lot,
Ali KEMAL.


Bill Hassell
Honored Contributor
Solution

Re: Event logs including info about system and users activities

> I couldn't see IP info but login/logout info are OK. How is it possible to see IP information also?

THe man page is very helpful. Use the commands:

last -R -100
(to list the last 100 logins with IP address)

last -R -20 billh
(to list the last 20 logins for billh)

> the file ".sh_history" is a little useful as you said. How can I see the user actions with time stamp as I told?

The .sh_history is created by the shell (sh, ksh, etc) but has no option to add a timestamp. You could write a script to append a timestamp at the end of the file every few hours, but this can make the shell history recall a bit unpredictable.


Bill Hassell, sysadmin
Ali KEMAL
Advisor

Re: Event logs including info about system and users activities

Hi,

I could not see the new records on a server after using "last -R -100". What might happen?

After "last -R -20 -f /var/adm/wtmp" output,
I see that the last record is "Apr 20".
I couldn' see even the last record on the file by "last -R -100". And there are no new records on the file after that date.

What is the problem? Is it working the logging system?
Thanks,
Ali KEMAL.



Dennis Handly
Acclaimed Contributor

Re: Event logs including info about system and users activities

>I could not see the new records on a server after using "last -R -100". What might happen?

Since last(1) reverses the order, which direction did you mean by "new records"?
Did you mean there are no entries for Apr 21 and later in time?

>After "last -R -20 -f /var/adm/wtmp" output, I see that the last record is "Apr 20". I couldn't see even the last record on the file by "last -R -100". And there are no new records on the file after that date.

You're saying last(1) indicates nobody has logged on since Apr 20?
How big is the file? It could have been corrupted on april 20?
Ali KEMAL
Advisor

Re: Event logs including info about system and users activities

>Since last(1) reverses the order, which direction did you mean by "new records"?
Did you mean there are no entries for Apr 21 and later in time?

I use the same command on the other servers, no problem. And yes, no entries for Apr 21 and later in time?

And, as I said, When I use "last" I could not see the entry "Apr 20" which exist in the file "wtmp".

>You're saying last(1) indicates nobody has logged on since Apr 20?
How big is the file? It could have been corrupted on april 20?

Yes, I am saying exactly what you said.
wtmp 94000 and wtmps ~2147483000
So, If it is corrupted, how can i solve this?

NOTE: I can get the correct info from the command "lastb".

Thanks,
Ali KEMAL.
Hakki Aydin Ucar
Honored Contributor

Re: Event logs including info about system and users activities

Ali Kemal

Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts.
Hakki Aydin Ucar
Honored Contributor

Re: Event logs including info about system and users activities

and if your wtmp(s) file is corrupted ,
you need to restore from last good available backup if you got.
Dennis Handly
Acclaimed Contributor

Re: Event logs including info about system and users activities

>I use the same command on the other servers, no problem.

wtmps is a data file so it doesn't matter that happens on other systems. How large is it on the others? You may have to fix them too.

>wtmps ~2147483000

Do you have largefiles enabled for /var? You really shouldn't let it grow this big.

>If it is corrupted, how can I solve this?

You truncate the file with:
> /var/adm/wtmps

>I can get the correct info from the command "lastb".

No, you should get no info from lastb(1) because nobody should be using bad passwords. :-)
Ali KEMAL
Advisor

Re: Event logs including info about system and users activities

Hi,

1) If I understand corectly, it is enough to truncate the corrupted file to solve the problem. And I should randomly delete some content of the file, is it right?

2) Should I do the same deletion for wtmp and wtmps?

3) I see the difference between "last" and "lastb". I just check the command "lastb" for bad login attempts.

Thanks,
Ali KEMAL.
Dennis Handly
Acclaimed Contributor

Re: Event logs including info about system and users activities

>1) it is enough to truncate the corrupted file to solve the problem. And I should randomly delete some content of the file, is it right?

Yes, unless you want to keep some content.
No need to "randomly delete".

>2) Should I do the same deletion for wtmp and wtmps?

No, only the bad file, wtmps.
(What OS version are you using?)
Ali KEMAL
Advisor

Re: Event logs including info about system and users activities

Hi,

--Yes, unless you want to keep some content.
No need to "randomly delete".

Which content should I delete or not delete?
Is there any risk when I do something wrong with the file?

--No, only the bad file, wtmps.
(What OS version are you using?)

HP-UX B.11.23 U.

Dennis Handly
Acclaimed Contributor

Re: Event logs including info about system and users activities

>Which content should I delete or not delete? Is there any risk when I do something wrong with the file?

You have to decide how much info to keep. If you do something wrong, you just won't have that login info.