- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Trace user activity
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-15-2018 11:38 PM
тАО10-15-2018 11:38 PM
Trace user activity
Hi
I have one billing system that comprises a two server hp-ux serviceguard cluster running oracle rac, and the billing application. But before users log into the billing application, there is a server called F5, running linux, that I beleived does user load balancing (I am not familiar with this), them they go through a web server running windows .
What I would like to know, is how to trace a user/IP that logs into the billing system, because in logs of the actual database servers (/var/adm/syslog/syslog.log) its not possible to view who logged in and out, what IP has connected.
I wonder if it is possible to get this information.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-16-2018 02:48 PM
тАО10-16-2018 02:48 PM
Re: Trace user activity
You can see each login/logout with IP address with the last command.
Use it like this:
# last -R -100
You can also see failed logins with the lastb command.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2018 01:24 AM
тАО10-17-2018 01:24 AM
Re: Trace user activity
I have followed the advice in which I had to run "last -R -100" then I got an error:
last -R -100 Invalid record size. Unable to continue ...
then I try to repair it using the following comands:
/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp
tail /tmp/wtmp
init.css h2 4508 5 0000 0000 1533457331 Aug 5 10:22:11 2018
init.crs h3 4510 5 0000 0000 1533457331 Aug 5 10:22:11 2018
iocdsfd cdsf 4511 5 0000 0000 1533457331 Aug 5 10:22:11 2018
clu_dsf_ cdin 4515 5 0000 0000 1533457331 Aug 5 10:22:11 2018
cimserve cim1 4518 5 0000 0000 1533457331 Aug 5 10:22:11 2018
sh ems3 4523 5 0000 0000 1533457331 Aug 5 10:22:11 2018
sh ems3 4523 8 0000 0000 1533457331 Aug 5 10:22:11 2018
p_client ems4 4533 5 0000 0000 1533457331 Aug 5 10:22:11 2018
icapd icap 4541 5 0000 0000 1533457331 Aug 5 10:22:11 2018
clu_dsf_ cdin 4515 8 0000 0001 1533457397 Aug 5 10:23:17 2018
last -R -100
Invalid record size. Unable to continue ...
/usr/sbin/acct/fwtmp -ic < /tmp/wtmp > /var/adm/wtmp
last -R -100
Invalid record size. Unable to continue ...
Would be fair to say that I have a corrupted data on my wtmp file, so the only option I have is to empty the contents of the file?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2018 07:49 AM
тАО10-17-2018 07:49 AM
Re: Trace user activity
Yes, the wtmp file is apparently corrupted, so you'll need to zero out the contents like this:
# cat /dev/null > /var/adm/wtmp or # > /var/adm/wtmp
The wtmp (and /var/adm/btmp) files grow without bounds. You'll need regularly trim these files.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2018 11:51 PM
тАО10-17-2018 11:51 PM
Re: Trace user activity
that cleared files wtmps, btmps and wtmp, but so far those files have not been populated since I cleared them yesterday.
Shouldn┬┤t I have data on them right now?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-19-2018 08:11 AM
тАО10-19-2018 08:11 AM
Re: Trace user activity
Did you zero out the existing files or delete them and recreate them?
If recreated, the ownership and permissions must be restored. For 11.31, they should look like this:
-rw------- 1 root other 288 Oct 5 2015 /var/adm/btmp
-rw------- 1 root other 456400 Mar 6 2018 /var/adm/btmps
-rw-rw-r-- 1 adm adm 1368828 Oct 15 12:22 /var/adm/wtmp
-rw-rw-r-- 1 adm adm 22411848 Oct 19 10:48 /var/adm/wtmps
-rw-r--r-- 1 root root 280 Feb 24 2015 /var/adm/wtmpx
Look in ./var/adm/syslog/syslog.log for any messages about logging.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-20-2018 07:38 PM
тАО10-20-2018 07:38 PM
Re: Trace user activity
> Would be fair to say that I have a corrupted data on my wtmp file, so the only option I have is to empty the contents of the file?
How valuable is the data in wtmp? If you look at some other posts on wtmp, you might be able to fix it.
https://community.hpe.com/t5/tag/wtmps/tg-p
https://community.hpe.com/t5/tag/fwtmp/tg-p
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-21-2018 10:51 PM
тАО10-21-2018 10:51 PM
Re: Trace user activity
Hi!
what I did was :
cat /dev/null > /var/adm/wtmps cat /dev/null > /var/adm/wtmp cat /dev/null > /var/adm/btmps
But the only file not populated is:
/var/adm/wtmp
dbnode0[467]/var/adm #ls -lrt | tail drwx------ 2 root root 96 Aug 5 10:22 cluster_dsf -rw-rw-r-- 1 root sys 18660 Aug 5 10:26 ps_data drwxr-xr-x 12 bin bin 8192 Aug 5 10:27 cmcluster -rw-r--r-- 1 root root 297016 Aug 8 18:37 nettl.LOG000 -rw-rw-r-- 1 adm adm 0 Oct 17 17:09 wtmp drwxr-xr-x 3 root root 8192 Oct 18 11:13 crash -rw------- 1 root other 652 Oct 19 16:21 btmps -rw-rw-r-- 1 adm adm 3912 Oct 19 16:49 wtmps -rw------- 1 root root 22014 Oct 21 17:01 sulog dr-xr-xr-x 2 bin bin 8192 Oct 22 07:48 util dbnode0[468]/var/adm #
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-21-2018 10:57 PM
тАО10-21-2018 10:57 PM
Re: Trace user activity
Hi
Thanks for the reply, what I am trying to establish is what IP addresses (os user pc┬┤s) have connected to the system in the month of July 2018, by having a look on the wtmps file
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-22-2018 11:18 AM
тАО10-22-2018 11:18 AM
Re: Trace user activity
> I am trying to establish is what IP addresses (os user PCs) have connected to the system in the month of July 2018, by having a look on the wtmps file
Do you have a backup of the corrupted file?