Overview
The purpose of this guide is to help us identify, view or audit user who logged and logout on the server and performed reboot(s) / shutdown(s).
We can extract from the report as to when a specific user logged in and also extract user login or logout information based on exact date and time.
Applies To
· Tested on CentOS 7 and RHEL 7
Log Files Insight
Filename
|
Purpose
|
/var/log/wtmp
|
Records historical data of utmp.
|
/var/log/btmp
|
Records only failed login attempts of the server
|
/var/run/utmp
|
Records currently logged in user(s).
|
List Entries – Login and Logout Info
To view all users login and logout information, this information is extracted from “/var/log/wtmp” run the command;
last
List Entries – Full Login and Logout Info
To view full login and logout times along with date(s), run the command below, this will list first 5 entries;
last -F -n 5
List Entries – Shutdown Info
To view shutdown entries and run level changes, run the command below; this will also list one line above “runlevel” search string, which will give us info about the logged in user;
last -x | grep -B 1 runlevel
Note: grep -B 1 – Will print one line above the matching string.
List Entries – User
To view particular user’s entries, run the command;
last root | head -n 5
List Entries – Suppress Hostname
To view particular user’s entries suppressing hostname field, run the command;
last -R root | head -n 5
List Entries – Who Logged at Specific Time
To view user entries who logged to the server at a specific date and time, run the command below; Date and time should be specified in format “YYYYMMDDHHMMSS” followed by username.
last -t 20160720090505
List Entries – User Logged at Specific Time
To view entries who logged to the server at a specific date and time, run the command below; Date and time should be specified in format “YYYYMMDDHHMMSS”.
last -t 20160720090505 root
List Entries – System Shutdown
To list the entries of when the server was shutdown with additional information (full), run the command; To extract only the time when the server was rebooted, run the alternate command.
last -x | grep shutdown | head -n 1
last -x | grep shutdown | head -n 1 ‘{ print $5, $6, $7, $8 }’
List Entries – System Reboots
To list the entries of when the server was rebooted, run the command;
last reboot
List Entries – System Reboots Full Info
To list the entries of when the server was rebooted with additional information (full), run the command; To extract only the time when the server was rebooted, run the alternate command.
last reboot -F | head -n 1
last reboot -F | head -n 1 | awk ‘{ print $5, $6, $7, $8, $9 }’
List Entries – Bad Logins Attempts
To list all the bad login attempts on the server, run the command;
last -b
List Entries – User Still Logged-In
To list the entries who are still logged on the server. Run the command;
last -f /var/run/utmp