HPE Community
Operating System - HP-UX
1847343 Members
2595 Online
110264 Solutions
New Discussion

log file

 
SOLVED
Go to solution
Jade Bulante
Frequent Advisor

‎03-12-2002 02:13 PM

‎03-12-2002 02:13 PM

log file

I would like to find out where the log file is for login failures and attempts. We're running 11.00.
0 Kudos
Reply
12 REPLIES 12
Mark Greene_1
Honored Contributor

‎03-12-2002 02:15 PM

‎03-12-2002 02:15 PM

Solution

Re: log file

they are here:

/etc/utmp
/var/adm/wtmp
/var/adm/btmp

see the man page for "last" for more info

HTH
mark
the future will be a lot like now, only later
Reply
Christopher McCray_1
Honored Contributor

‎03-12-2002 02:18 PM

‎03-12-2002 02:18 PM

Re: log file

Hello,

Two places I can think of:

/var/adm/auth.log
/var/adm/sulog

Hope this helps

Chris
It wasn't me!!!!
Reply
Jade Bulante
Frequent Advisor

‎03-12-2002 02:20 PM

‎03-12-2002 02:20 PM

Re: log file

How can you read a wtmp or btmp file since it's considered an awk text.
0 Kudos
Reply
Mark Greene_1
Honored Contributor

‎03-12-2002 02:23 PM

‎03-12-2002 02:23 PM

Re: log file

use last or ftwmp, but be careful as fwtmp has write capability.

mark
the future will be a lot like now, only later
Reply
someone_4
Honored Contributor

‎03-12-2002 02:24 PM

‎03-12-2002 02:24 PM

Re: log file

You use 'last' and 'lastb' to read the files. See the man pages for 'last'.

cat /var/adm/wtmp | /usr/sbin/acct/fwtmp > /var/tmp/w>

or

last -10
gives you the lasat 10 entries

last -R -10

displays the hostname

same thing with lastb.

Richard
Reply
someone_4
Honored Contributor

‎03-12-2002 02:30 PM

‎03-12-2002 02:30 PM

Re: log file

/usr/sbin/acct/fwtmp < wtmp | more (view entire wtmp in ascii)

/usr/sbin/acct/fwtmp < wtmp | grep -eftp -eremshd | more (see if wtmp has
ftp or remsh contained in it)

/usr/sbin/acct/fwtmp < wtmp | grep -v -eftp -eremshd > wtmp.asc
(copy everything except ftp and remsh to an ascii file)

/usr/sbin/acct/fwtmp -ic < wtmp.asc > wtmp.bin
(convert ascii file to binary file)

last -f wtmp.bin
(use the 'last' command to view the binary contents of wtmp.bin)


cat /var/adm/wtmp | /usr/sbin/acct/fwtmp
fwtmp < /etc/wtmp > /tmp/filename
Reply
Michael Tully
Honored Contributor

‎03-12-2002 02:32 PM

‎03-12-2002 02:32 PM

Re: log file

You can also use grep as a filter to
analyse the output from either the
last or lastb commands.

e.g.
# last | grep fred (username)
Anyone for a Mutiny ?
Reply
Christopher McCray_1
Honored Contributor

‎03-12-2002 02:32 PM

‎03-12-2002 02:32 PM

Re: log file

to read a wtmp file, use the fwtmp command


Good luck
Chris

It wasn't me!!!!
Reply
Darrell Allen
Honored Contributor

‎03-12-2002 03:46 PM

‎03-12-2002 03:46 PM

Re: log file

Hi,

One of my favorites is to use the who command against /var/adm/wtmp. See man who for more info but I like "who -a /var/adm/wtmp".

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
Reply
Sanjay_6
Honored Contributor

‎03-12-2002 03:53 PM

‎03-12-2002 03:53 PM

Re: log file

Hi,

The first link gives a sample on how to read the info from the log files and the second link suggests what you can do to cleanup those log files,

http://us-support3.external.hp.com/cki/bin/doc.pl/sid=fe90b163102fbbb47b/screen=ckiDisplayDocument?docId=200000054497817

http://us-support3.external.hp.com/cki/bin/doc.pl/sid=fe90b163102fbbb47b/screen=ckiDisplayDocument?docId=200000058669444

Hope this helps.

Regds
Reply
pap
Respected Contributor

‎03-12-2002 04:24 PM

‎03-12-2002 04:24 PM

Re: log file

Hi Here are those files.

/etc/utmp
/var/adm/wtmp
/var/adm/btmp

Here is the explanation about those files.


A. File utmp contains a record of all users logged onto the system.

B. File btmp contains bad login entries for each invalid logon attempt.

C. File wtmp contains a record of all logins and logouts.

"Winners don't do different things , they do things differently"
Reply
Van Weyenberg Els
New Member

‎04-25-2002 12:00 AM

‎04-25-2002 12:00 AM

Re: log file

Sanjay, I can't access the link you suggested above about cleanup /var/adm/wtmp. Also a search on document ID doesn't work. Maybe that's because I'm connecting from Europe. Is there another way to access this information ? Thank you.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.