[CentOS] logging in

Tue Jan 30 18:40:08 UTC 2018
Jon Pruente <jpruente at riskanalytics.com>

On Tue, Jan 30, 2018 at 12:26 PM, <m.roth at 5-cent.us> wrote:

> This is.... odd.
> We're seeing a *lot* of
> sshd[8400]: Timeout, client not responding.
> So I'm trying to find out whose client is having issues. Trying to figure
> that, after processes are gone, I tried looking in lastlog, which is where
> it gets odd. lastlog shows root coming in, and it shows a security account
> coming in... years ago.
> I see one of our users logging in a goodly number of times... but lastlog
> doesn't show him. I just logged in as myself, no password, using keys...
> and lastlog doesn't show me, or my manager, or anyone else.
> Does anyone have any idea why lastlog's not recording *all* logins?

You can look at /var/log/audit/audit.log to see more detail than what last
shows. A nice tip is to pipe the output through another tool to convert the
timestamps to human readable date and time.

tail -f /var/log/audit/audit.log | ausearch -i
tail -f /var/log/audit/audit.log | perl -pe 's/(\d+)/localtime($1)/e'