Monitor CentOS User Logon history using utmpdump

Monitor CentOS User Logon history using utmpdump

Retaining, maintaining, and analyzing logs (such as account events that have occurred in a specific period of time) is one of the most basic and important tasks for Linux system administrators. For user management, checking user login and logout logs (whether failed or successful) can enable us to be vigilant against any potential security risks or unauthorized use of the system. For example, a red alarm should be issued for remote logon from unknown IP addresses or accounts outside of working hours or during off-duty periods.

On CentOS, user logon history is stored in the following files:

• /Var/run/utmp (used to record the currently opened sessions) is used by the who and w tools to record who is currently logged on and what they are doing, and uptime is used to record the system startup time.
• /Var/log/wtmp (used to store the system connection history) is used by the last tool to record the list of last logged-on users.
• /Var/log/btmp (logging failed logon attempts) is used by the lastb tool to record the list of failed logon attempts.

In this article, I will introduce how to use utmpdump. This applet comes from the sysvinit-tools Package and can be used to dump binary log files to text files for check. This tool is available in CentOS 6 and 7 by default. Utmpdump collects more comprehensive information than previously mentioned tools, making it a good tool for the job. In addition, utmpdump can be used to modify utmp or wtmp. It is useful if you want to fix any corrupted entries in binary logs ?).

Utmpdump usage and output instructions

As we mentioned earlier, these log files are compared with other logs that most of us are familiar with (such as/var/log/messages,/var/log/cron, /var/log/maillog) is stored in binary format, so we cannot use file commands like less or more to view their content. Therefore, the emergence of utmpdump has saved the world.

To display/var/run/utmp content, run the following command:

1. # Utmpdump/var/run/utmp

The content of/var/log/wtmp should also be displayed:

1. # Utmpdump/var/log/wtmp | tail-15

Finally, for/var/log/btmp:

1. # Utmpdump/var/log/btmp

As you can see, the output results are the same in three cases, except that the records of utmp and btmp are sorted by time, the wtmp order is out of this (LCTT note: the original text here is incorrect, and it is actually arranged in chronological order ).

Each log line is formatted into multiple columns, as described below. The first field shows the session identifier, and the second field shows the PID. The third field can be the following values: -- (indicating a change in the running level or system restart), bw (starting the waiting process), number (representing the TTY number ), or characters and numbers (indicating pseudo terminals ). The fourth field can be blank or user name, restart, or run level. The fifth field is the master TTY or PTY (Pseudo Terminal). If this information is available. The sixth field is the remote host name (if it is a local login, this field is blank, except for the running level information, it will return the kernel version ). The seventh field is the IP address of the remote system (0.0.0.0 for local logon ). If DNS resolution is not provided, fields 6 and 7 will display the same information (remote system IP address ). The last (eighth) field specifies the date and time when the record was created.

Utmpdump example

The following provides some simple utmpdump usage.

1. Check the number of logins of a specific user (such as gacanepa) between October 17 and October 17.

1. # Utmpdump/var/log/wtmp | grep gacanepa

If you need to review the previous logon information, you can check the wtmp-YYYYMMDD (or wtmp. [1... n]) and btmp-YYYYMMDD (or btmp. [1... n]) files. These are the archive files of the old wtmp and btmp generated by logrotate.

2. count the number of logins from the IP address 192.168.0.101.

1. # Utmpdump/var/log/wtmp | grep 192.168.0.101

3. failed logon attempts are displayed.

1. # Utmpdump/var/log/btmp

In the/var/log/btmp output, each log line is related to a failed logon attempt (such as using an incorrect password or a user ID that does not exist ). The highlighted section in the above picture shows logon with a nonexistent user ID, which warns you of attempts to guess common account names to break into the system. This is an extremely serious problem when tty1 is used, this means that someone has access to the terminal on your machine (check who has the key to your data center, maybe ?)

4. display the login and logout information for each user session

1. # Utmpdump/var/log/wtmp

In/var/logwtmp, a new logon event is characterized by the first field '7' and the third field being a terminal number (or pseudo terminal id ), the fourth field is the user name. Related logout events are displayed in the first field '8', the second field shows the same PID as the logon, and the terminal number field is blank. For example, observe the line of PID 1463 In the image above.

• The logon prompt is displayed on [Fri Sep 19 11:57:40 2014 ART] And TTY1.
• Log on to [Fri Sep 19 12:04:21 2014 ART] as the root user.
• At [Fri Sep 19 12:07:24 2014 ART], the user root logs out.

Note: LOGIN in the fourth field indicates that a prompt is displayed when you log on to the terminal specified in the fifth field.

So far, I have introduced some trivial examples. You can combine utmpdump with other text processing tools, such as awk, sed, grep, or cut, to generate filtered and enhanced output.

The workbook file, which can be opened and viewed by text or workbook applications such as LibreOffice Calc or Microsoft Excel. Show only the PID, user name, IP address, and timestamp:

1. # Utmpdump/var/log/wtmp | grep-E "\ [7]. * gacanepa "| awk-v OFS =", "'In in {FS ="] "}; {print $2, $4, $7, $8} '| sed-e's/\ [// G'-e's/\] // G'

As depicted in the three highlighted areas in the preceding figure, the filtering logic operation consists of three pipeline steps. Step 1 is used to search for logon events triggered by the user gacanepa ([7]); Step 2 and Step 3 are used to select the expected fields, remove the square brackets output by utmpdump and set the output field separator to comma.

Of course, if you want to open it later, you need to redirect the above command to the file (Add "> keystore file name. CSV" to the end of the command ).

In a more complex example, if you want to know which users (listed in/etc/passwd) are not logged on at a specific time, you can extract the user name from/etc/passwd, run the grep command to obtain the list of users in the/var/log/wtmp output. As you can see, there are infinite possibilities.

Before summing up, let's briefly show another usage of utmpdump: modifying utmp or wtmp. Because these are binary log files, you cannot edit them like editing files. Instead, you can output the content to the text format, modify the text output content, and then import the modified content into the binary log. As follows:

1. # Utmpdump/var/log/utmp> tmp_output
2. <Use a text editor to modify tmp_output>
3. # Utmpdump-r tmp_output>/var/log/utmp

This is useful when you want to remove or fix any forged entries in binary logs.

The following is a summary. utmpdump reads detailed logon events from the utmp, wtmp, and btmp log files or the old archive file of the round robin to supplement such events as who, w, uptime, last, the lack of standard tools such as lastb also makes it a great tool.

You can add comments at will to enhance the gold content of this post.