HPE Community
Operating System - HP-UX
1753681 Members
5914 Online
108799 Solutions
New Discussion юеВ

Re: Trace user activity

 
NDO
Super Advisor

тАО10-15-2018 11:38 PM

тАО10-15-2018 11:38 PM

Trace user activity

Hi

I have one billing system that comprises a two server  hp-ux serviceguard cluster running oracle rac, and the billing application. But before users log into the billing application, there is a server called F5, running linux, that I beleived does user load balancing (I am not familiar with this), them they go through a web server running windows .

What I would like to know, is how to trace a user/IP that logs into the billing system, because in logs of the actual database servers (/var/adm/syslog/syslog.log) its not possible to view who logged in and out, what IP has connected.

I wonder if  it is possible to get this information.

0 Kudos
Reply
11 REPLIES 11
Bill Hassell
Honored Contributor

тАО10-16-2018 02:48 PM

тАО10-16-2018 02:48 PM

Re: Trace user activity

You can see each login/logout with IP address with the last command. 
Use it like this:

# last -R -100

You can also see failed logins with the lastb command.



Bill Hassell, sysadmin
0 Kudos
Reply
NDO
Super Advisor

тАО10-17-2018 01:24 AM

тАО10-17-2018 01:24 AM

Re: Trace user activity

I have followed the advice in which I had to run "last -R -100" then I got an error:

last -R -100
Invalid record size. Unable to continue ...

then I try to repair it using the following comands:

/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp

tail /tmp/wtmp
init.css h2 4508 5 0000 0000 1533457331 Aug 5 10:22:11 2018
init.crs h3 4510 5 0000 0000 1533457331 Aug 5 10:22:11 2018
iocdsfd cdsf 4511 5 0000 0000 1533457331 Aug 5 10:22:11 2018
clu_dsf_ cdin 4515 5 0000 0000 1533457331 Aug 5 10:22:11 2018
cimserve cim1 4518 5 0000 0000 1533457331 Aug 5 10:22:11 2018
sh ems3 4523 5 0000 0000 1533457331 Aug 5 10:22:11 2018
sh ems3 4523 8 0000 0000 1533457331 Aug 5 10:22:11 2018
p_client ems4 4533 5 0000 0000 1533457331 Aug 5 10:22:11 2018
icapd icap 4541 5 0000 0000 1533457331 Aug 5 10:22:11 2018
clu_dsf_ cdin 4515 8 0000 0001 1533457397 Aug 5 10:23:17 2018

last -R -100
Invalid record size. Unable to continue ...

/usr/sbin/acct/fwtmp -ic < /tmp/wtmp > /var/adm/wtmp

last -R -100
Invalid record size. Unable to continue ...

 

Would be fair to say that I have a corrupted data on my wtmp file, so the only option I have is to empty the contents of the file?

 

0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО10-17-2018 07:49 AM

тАО10-17-2018 07:49 AM

Re: Trace user activity

Yes, the wtmp file is apparently corrupted, so you'll need to zero out the contents like this:

# cat /dev/null > /var/adm/wtmp

or

# > /var/adm/wtmp

The wtmp (and /var/adm/btmp) files grow without bounds. You'll need regularly trim these files.



Bill Hassell, sysadmin
Reply
NDO
Super Advisor

тАО10-17-2018 11:51 PM

тАО10-17-2018 11:51 PM

Re: Trace user activity

that cleared files wtmps, btmps and wtmp, but so far those files have not been populated since I cleared them yesterday.

Shouldn┬┤t I have data on them right now?

0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО10-19-2018 08:11 AM

тАО10-19-2018 08:11 AM

Re: Trace user activity

Did you zero out the existing files or delete them and recreate them?

If recreated, the ownership and permissions must be restored. For 11.31, they should look like this:

-rw------- 1 root other 288 Oct 5 2015 /var/adm/btmp
-rw------- 1 root other 456400 Mar 6 2018 /var/adm/btmps
-rw-rw-r-- 1 adm adm 1368828 Oct 15 12:22 /var/adm/wtmp
-rw-rw-r-- 1 adm adm 22411848 Oct 19 10:48 /var/adm/wtmps
-rw-r--r-- 1 root root 280 Feb 24 2015 /var/adm/wtmpx

Look in ./var/adm/syslog/syslog.log for any messages about logging.



Bill Hassell, sysadmin
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО10-20-2018 07:38 PM

тАО10-20-2018 07:38 PM

Re: Trace user activity

> Would be fair to say that I have a corrupted data on my wtmp file, so the only option I have is to empty the contents of the file?

 

How valuable is the data in wtmp?  If you look at some other posts on wtmp, you might be able to fix it.

https://community.hpe.com/t5/tag/wtmps/tg-p

https://community.hpe.com/t5/tag/fwtmp/tg-p

 

0 Kudos
Reply
NDO
Super Advisor

тАО10-21-2018 10:51 PM

тАО10-21-2018 10:51 PM

Re: Trace user activity

Hi!

 

what I did was :

cat /dev/null > /var/adm/wtmps
cat /dev/null > /var/adm/wtmp
cat /dev/null > /var/adm/btmps

But the only file not populated is:

/var/adm/wtmp

dbnode0[467]/var/adm #ls -lrt | tail
drwx------   2 root       root            96 Aug  5 10:22 cluster_dsf
-rw-rw-r--   1 root       sys          18660 Aug  5 10:26 ps_data
drwxr-xr-x  12 bin        bin           8192 Aug  5 10:27 cmcluster
-rw-r--r--   1 root       root        297016 Aug  8 18:37 nettl.LOG000
-rw-rw-r--   1 adm        adm              0 Oct 17 17:09 wtmp
drwxr-xr-x   3 root       root          8192 Oct 18 11:13 crash
-rw-------   1 root       other          652 Oct 19 16:21 btmps
-rw-rw-r--   1 adm        adm           3912 Oct 19 16:49 wtmps
-rw-------   1 root       root         22014 Oct 21 17:01 sulog
dr-xr-xr-x   2 bin        bin           8192 Oct 22 07:48 util
dbnode0[468]/var/adm #
0 Kudos
Reply
NDO
Super Advisor

тАО10-21-2018 10:57 PM

тАО10-21-2018 10:57 PM

Re: Trace user activity

Hi

Thanks for the reply, what I am trying to establish is what IP addresses (os user pc┬┤s) have connected to the system in the month of July 2018, by having a look on the wtmps file

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО10-22-2018 11:18 AM

тАО10-22-2018 11:18 AM

Re: Trace user activity

> I am trying to establish is what IP addresses (os user PCs) have connected to the system in the month of July 2018, by having a look on the wtmps file

 

Do you have a backup of the corrupted file?

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.