On Tue, Jan 30, 2018 at 12:26 PM, <m.roth at 5-cent.us> wrote: > This is.... odd. > > We're seeing a *lot* of > sshd[8400]: Timeout, client not responding. > So I'm trying to find out whose client is having issues. Trying to figure > that, after processes are gone, I tried looking in lastlog, which is where > it gets odd. lastlog shows root coming in, and it shows a security account > coming in... years ago. > > I see one of our users logging in a goodly number of times... but lastlog > doesn't show him. I just logged in as myself, no password, using keys... > and lastlog doesn't show me, or my manager, or anyone else. > > Does anyone have any idea why lastlog's not recording *all* logins? > You can look at /var/log/audit/audit.log to see more detail than what last shows. A nice tip is to pipe the output through another tool to convert the timestamps to human readable date and time. tail -f /var/log/audit/audit.log | ausearch -i or tail -f /var/log/audit/audit.log | perl -pe 's/(\d+)/localtime($1)/e' via https://serverfault.com/questions/327846/convert-selinux-log-date-format-from-epoch-to-normal