HPE Community
Operating System - HP-UX
1849955 Members
3246 Online
104049 Solutions
New Discussion

Track User sessions

 
SOLVED
Go to solution
joe_91
Super Advisor

‎11-30-2005 01:43 AM

‎11-30-2005 01:43 AM

Track User sessions

Can someone tell me how to track user sessions? for example i would like to track all the users who have come into the hp-ux box thru telnet, rlogin etc.. Please help.

Thanks

Joe
0 Kudos
10 REPLIES 10
James R. Ferguson
Acclaimed Contributor

‎11-30-2005 01:50 AM

‎11-30-2005 01:50 AM

Re: Track User sessions

Hi Joe:

Use 'last'. See the man pages for more information. 'last' uses '/var/adm/wtmp'. IF it is not present, create it by 'touch'ing it. It will grow without bound and will need to be nulled or trimmed.

If there is nothing you want preserved, do:

# cat /dev/null > /var/adm/wtmp

If you want to preserve some contents, you must convert the binary file to an ASCII file; edit (delete) what you don't want; and convert the ASCII file back to the binary format:

# /usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp

...edit...

# /usr/sbin/acct/fwtmp -ic < /tmp/wtmp > /var/adm/wtmp

You can do the same for the 'btmp' data.

Regards!

...JRF...
0 Kudos
DCE
Honored Contributor

‎11-30-2005 02:08 AM

‎11-30-2005 02:08 AM

Re: Track User sessions

Joe,

If you want greater detail/tracking ability other than that supplied by last, you will need to turn on auditing (assuming your system(s) are in trusted mode)

Dave
0 Kudos
Steven E. Protter
Exalted Contributor

‎11-30-2005 02:15 AM

‎11-30-2005 02:15 AM

Re: Track User sessions

Shalom Joe,

inetd -l

Enhances logging.

tail -f /var/adm/syslog/syslog.log

You will see all relavent activity including source IP address as it happens.

the /var/adm/wtmp and /var/adm/btmp databases provide a record of this activity without the other aspects of syslog.

They are binary files and can accessed via the last and lastb commands respectively.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Raj D.
Honored Contributor

‎11-30-2005 02:18 AM

‎11-30-2005 02:18 AM

Solution

Re: Track User sessions

Hi joe ,

You can put script command in users .profile. And entire user activity will be logged.

check details with # man script

Cheers,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
joe_91
Super Advisor

‎11-30-2005 02:23 AM

‎11-30-2005 02:23 AM

Re: Track User sessions

JRF/SEP:

Thanks. What i was looking for was the ability to track users based on the way they have logged into the system. For example..i would want to list all users who have come into the box using telnet, similarly rlogin. if i have a particular uses session thren i need to know whether that particular user has come into the box using telnet or rlogin etc. is there a way to do it?

Thanks

Joe
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎11-30-2005 02:36 AM

‎11-30-2005 02:36 AM

Re: Track User sessions

Hi Joe:

Look at the output of 'last'. It *will* show variously terminal origin (e.g. pts/ta), or 'ftp', 'remshd'.

You can also get the connection point (e.g. hostname or IPaddress) by adding the '-R' switch:

# last -R

Regards!

...JRF...
0 Kudos
Raj D.
Honored Contributor

‎11-30-2005 06:10 AM

‎11-30-2005 06:10 AM

Re: Track User sessions

Hi joe ,

The answer is last command. (logs takes from /var/adm/wtmp)
Check with last command to find out if particular user has come to the box using telnet or rlogin or ftp etc.

Check for 10 times, latest login of a user :

# last -R username | head -n 10

pts/1
pts/2 etc.. are through ssh , rlogin .

pts/ta is through telnet

remshd : is throgh remote shell server.

ftp : through ftp login.



Cheers,
Raj.

" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Cem Tugrul
Esteemed Contributor

‎11-30-2005 06:11 PM

‎11-30-2005 06:11 PM

Re: Track User sessions

Joe,
As an addition to other replies
try to visit the links below;
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=109749
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=218820

Good Luck,
Our greatest duty in this life is to help others. And please, if you can't
0 Kudos
Muthukumar_5
Honored Contributor

‎11-30-2005 06:44 PM

‎11-30-2005 06:44 PM

Re: Track User sessions

You can use last -R to get r* commands login and terminal logings also.

To specifically track telnet based login and rlogin then,

Using /etc/profile setting,

# Track User Sessions - Joe
USERLOG=/var/adm/telnet_rlogin.log
ps | grep -q 'telnet'

if [[ ${?} -eq 0 ]]
then
echo "$(who -m) $(date) telnet session" >> ${USERLOG}
fi

ps | grep -q 'rlogin'

if [[ ${?} -eq 0 ]]
then
echo "$(who -m) $(date) rlogin session" >> ${USERLOG}
fi

save the file and audit with that /var/adm/telnet_rlogin.log file.

It will do it.
Easy to suggest when don't know about the problem!
0 Kudos
joe_91
Super Advisor

‎12-01-2005 12:31 AM

‎12-01-2005 12:31 AM

Re: Track User sessions

Thanks all

Joe
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.