cancel
Showing results for 
Search instead for 
Did you mean: 

Trace user activity

 
Highlighted
Super Advisor

Trace user activity

Hi

I have one billing system that comprises a two server  hp-ux serviceguard cluster running oracle rac, and the billing application. But before users log into the billing application, there is a server called F5, running linux, that I beleived does user load balancing (I am not familiar with this), them they go through a web server running windows .

What I would like to know, is how to trace a user/IP that logs into the billing system, because in logs of the actual database servers (/var/adm/syslog/syslog.log) its not possible to view who logged in and out, what IP has connected.

I wonder if  it is possible to get this information.

11 REPLIES 11
Highlighted
Honored Contributor

Re: Trace user activity

You can see each login/logout with IP address with the last command. 
Use it like this:

# last -R -100 

You can also see failed logins with the lastb command.



Bill Hassell, sysadmin
Highlighted
Super Advisor

Re: Trace user activity

I have followed the advice in which I had to run "last -R -100" then I got an error:

last -R -100
Invalid record size. Unable to continue ...

then I try to repair it using the following comands:

/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp

tail /tmp/wtmp
init.css h2 4508 5 0000 0000 1533457331 Aug 5 10:22:11 2018
init.crs h3 4510 5 0000 0000 1533457331 Aug 5 10:22:11 2018
iocdsfd cdsf 4511 5 0000 0000 1533457331 Aug 5 10:22:11 2018
clu_dsf_ cdin 4515 5 0000 0000 1533457331 Aug 5 10:22:11 2018
cimserve cim1 4518 5 0000 0000 1533457331 Aug 5 10:22:11 2018
sh ems3 4523 5 0000 0000 1533457331 Aug 5 10:22:11 2018
sh ems3 4523 8 0000 0000 1533457331 Aug 5 10:22:11 2018
p_client ems4 4533 5 0000 0000 1533457331 Aug 5 10:22:11 2018
icapd icap 4541 5 0000 0000 1533457331 Aug 5 10:22:11 2018
clu_dsf_ cdin 4515 8 0000 0001 1533457397 Aug 5 10:23:17 2018

last -R -100
Invalid record size. Unable to continue ...

/usr/sbin/acct/fwtmp -ic < /tmp/wtmp > /var/adm/wtmp

last -R -100
Invalid record size. Unable to continue ...

 

Would be fair to say that I have a corrupted data on my wtmp file, so the only option I have is to empty the contents of the file?

 

Highlighted
Honored Contributor

Re: Trace user activity

Yes, the wtmp file is apparently corrupted, so you'll need to zero out the contents like this:

# cat /dev/null > /var/adm/wtmp

or

# > /var/adm/wtmp

The wtmp (and /var/adm/btmp) files grow without bounds. You'll need regularly trim these files.



Bill Hassell, sysadmin
Highlighted
Super Advisor

Re: Trace user activity

that cleared files wtmps, btmps and wtmp, but so far those files have not been populated since I cleared them yesterday.

Shouldn´t I have data on them right now?

Highlighted
Honored Contributor

Re: Trace user activity

Did you zero out the existing files or delete them and recreate them?

If recreated, the ownership and permissions must be restored. For 11.31, they should look like this:

-rw------- 1 root other 288 Oct 5 2015 /var/adm/btmp
-rw------- 1 root other 456400 Mar 6 2018 /var/adm/btmps
-rw-rw-r-- 1 adm adm 1368828 Oct 15 12:22 /var/adm/wtmp
-rw-rw-r-- 1 adm adm 22411848 Oct 19 10:48 /var/adm/wtmps
-rw-r--r-- 1 root root 280 Feb 24 2015 /var/adm/wtmpx

Look in ./var/adm/syslog/syslog.log for any messages about logging.



Bill Hassell, sysadmin
Highlighted
Acclaimed Contributor

Re: Trace user activity

> Would be fair to say that I have a corrupted data on my wtmp file, so the only option I have is to empty the contents of the file?

 

How valuable is the data in wtmp?  If you look at some other posts on wtmp, you might be able to fix it.

https://community.hpe.com/t5/tag/wtmps/tg-p

https://community.hpe.com/t5/tag/fwtmp/tg-p

 

Highlighted
Super Advisor

Re: Trace user activity

Hi!

 

what I did was :

cat /dev/null > /var/adm/wtmps
cat /dev/null > /var/adm/wtmp
cat /dev/null > /var/adm/btmps

But the only file not populated is:

/var/adm/wtmp

dbnode0[467]/var/adm #ls -lrt | tail
drwx------   2 root       root            96 Aug  5 10:22 cluster_dsf
-rw-rw-r--   1 root       sys          18660 Aug  5 10:26 ps_data
drwxr-xr-x  12 bin        bin           8192 Aug  5 10:27 cmcluster
-rw-r--r--   1 root       root        297016 Aug  8 18:37 nettl.LOG000
-rw-rw-r--   1 adm        adm              0 Oct 17 17:09 wtmp
drwxr-xr-x   3 root       root          8192 Oct 18 11:13 crash
-rw-------   1 root       other          652 Oct 19 16:21 btmps
-rw-rw-r--   1 adm        adm           3912 Oct 19 16:49 wtmps
-rw-------   1 root       root         22014 Oct 21 17:01 sulog
dr-xr-xr-x   2 bin        bin           8192 Oct 22 07:48 util
dbnode0[468]/var/adm #
Highlighted
Super Advisor

Re: Trace user activity

Hi

Thanks for the reply, what I am trying to establish is what IP addresses (os user pc´s) have connected to the system in the month of July 2018, by having a look on the wtmps file

Highlighted
Acclaimed Contributor

Re: Trace user activity

> I am trying to establish is what IP addresses (os user PCs) have connected to the system in the month of July 2018, by having a look on the wtmps file

 

Do you have a backup of the corrupted file?