[CentOS] logging in

Tue Jan 30 19:01:00 UTC 2018
Stephen John Smoogen <smooge at gmail.com>

On 30 January 2018 at 13:40, Jon Pruente <jpruente at riskanalytics.com> wrote:

> On Tue, Jan 30, 2018 at 12:26 PM, <m.roth at 5-cent.us> wrote:
>
> > This is.... odd.
> >
> > We're seeing a *lot* of
> > sshd[8400]: Timeout, client not responding.
> > So I'm trying to find out whose client is having issues. Trying to figure
> > that, after processes are gone, I tried looking in lastlog, which is
> where
> > it gets odd. lastlog shows root coming in, and it shows a security
> account
> > coming in... years ago.
> >
> > I see one of our users logging in a goodly number of times... but lastlog
> > doesn't show him. I just logged in as myself, no password, using keys...
> > and lastlog doesn't show me, or my manager, or anyone else.
> >
> > Does anyone have any idea why lastlog's not recording *all* logins?
> >
>
> You can look at /var/log/audit/audit.log to see more detail than what last
> shows. A nice tip is to pipe the output through another tool to convert the
> timestamps to human readable date and time.
>
> tail -f /var/log/audit/audit.log | ausearch -i
> or
> tail -f /var/log/audit/audit.log | perl -pe 's/(\d+)/localtime($1)/e'
>
>
Also check that /var/log/wtmp is set up correctly

[smooge at smoogen-laptop ~]$ ls -lZ /var/log/wtmp
-rw-rw-r--. root utmp system_u:object_r:wtmp_t:s0      /var/log/wtmp
[smooge at smoogen-laptop ~]$ ls -l /var/log/wtmp
-rw-rw-r--. 1 root utmp 116352 2018-01-30 13:55 /var/log/wtmp

Sometimes wtmp gets rotated at the beginning of the year so there is
usually another file like
/var/log/wtmp-20180117 or something.


> via
> https://serverfault.com/questions/327846/convert-
> selinux-log-date-format-from-epoch-to-normal
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
Stephen J Smoogen.