Ways to view user logon records on a CentOS system

Maintaining, maintaining, and analyzing logs, such as those that have occurred in a given period or are occurring, is one of the most basic and important tasks for Linux system administrators. For user management, checking the user's login and logout logs (whether unsuccessful or successful) allows us to remain vigilant about any potential security risks or unauthorized use of the system. For example, a remote login from an unknown IP address or account during a vacation or during a holiday should emit a red alert.

On CentOS systems, user logon history is stored in the following files:

/var/run/utmp (used to record currently open sessions) is used by WHO and W tools to record who is currently logged in and what they are doing, while uptime is used to record the system startup time.

/VAR/LOG/WTMP (for storage System connection history) is used by the last tool to record the list of users who have finally logged on.

/var/log/btmp (Logging failed login attempts) is used by the LASTB tool to record a list of the last failed login attempts.

In this article, I'll explain how to use Utmpdump, a small program from the Sysvinit-tools package, that can be used to dump binary log files into text-formatted files for inspection. This tool is available by default on the CentOS 6 and 7 series. Utmpdump collects more comprehensive information than previously mentioned tools, which makes it a good tool for the job. In addition, Utmpdump can be used to modify Utmp or wtmp. It can be useful if you want to fix any corrupted entries in the binary log (LCTT: How do I feel like a prelude to doing bad things?).

The use of utmpdump and its output description

As we mentioned earlier, these log files are stored in binary format compared to other logs that are familiar to most of us, such as/var/log/messages,/var/log/cron,/var/log/maillog. Therefore, we cannot use file commands like less or more to view their contents. So, Utmpdump's appearance saved the world.

To display the contents of the/VAR/RUN/UTMP, run the following command:

The code is as follows:

# utmpdump/var/run/utmp

Also to display the contents of the/var/log/wtmp:

The code is as follows:

# Utmpdump/var/log/wtmp | Tail-15[code]

　　

Finally, for/var/log/btmp:

[code]# utmpdump/var/log/btmp

As you can see, the output in three cases is the same, except that the Utmp and Btmp records are sorted chronologically, and the wtmp order is reversed (LCTT: The original text is wrong, in fact, in chronological order).

Each journal line is formatted as a number of columns, as described below. The first field shows the session qualifier, and the second field is PID. The third field can be the following values:--(indicates a run level change or system reboot), BW (start the wait process), numbers (for TTY numbers), or characters and numbers (for pseudo terminals). The fourth field can be blank or user name, restart, or run level. The fifth field is the primary TTY or Pty (pseudo terminal), if this information is available. The sixth field is the remote host name (if it is a local login, the field is blank, except for the run level information, it returns the kernel version). The seventh field is the IP address of the remote system (if it is logged on locally, it is 0.0.0.0). If DNS resolution is not provided, the sixth and Seventh fields display the same information (the IP address of the remote system). The last (eighth) field indicates the date and time that the record was created.

Examples of utmpdump use

The following provides a simple use of some utmpdump.

1. Check the number of logons for a particular user (such as GACANEPA) between August 18 and September 17.

The code is as follows:

# Utmpdump/var/log/wtmp | grep Gacanepa

If you need to review the login information for the previous date, you can check the/var/log under WTMP-YYYYMMDD (or wtmp.[ 1...N]) and BTMP-YYYYMMDD (or btmp.[ 1...N] files, which are archive files of old wtmp and btmp generated by Logrotate.

2, statistics from the IP address 192.168.0.101 the number of logins.

The code is as follows:

# Utmpdump/var/log/wtmp | grep 192.168.0.101

3, display failed login attempts.

The code is as follows:

# utmpdump/var/log/btmp

In the/var/log/btmp output, each journal line is associated with a failed login attempt (such as using an incorrect password, or a non-existent user ID). The highlighted section of the picture above shows the use of a non-existent user ID to log in, warning you that someone is trying to guess the name of a common account to break into the system. This is an extremely serious problem when using tty1, because it means someone has access to the terminal on your machine (check out who got the key to your data center, maybe?)

4. Display login and logout information for each user session

The code is as follows:

# utmpdump/var/log/wtmp

In/var/logwtmp, a new logon event is characterized by the first field as ' 7 ', the third field as a terminal number (or pseudo terminal ID), and the fourth field as the user name. The associated Logout event displays ' 8 ' in the first field, the second field displays the same PID as the login, and the Terminal Number field is blank. For example, carefully observe the line of PID 1463 in the picture above.

Displays the login prompt on the [Fri Sep 11:57:40 2014 art],tty1.

In [Fri Sep 12:04:21 2014 ART], user root is logged in.

In [Fri Sep 12:07:24 2014 ART], user root is logged out.

Side Note: Login for the fourth field means that there is a prompt to log in to the terminal specified in the Fifth field.

So far, I have introduced some trivial examples. You can combine utmpdump and other text processing tools, such as awk, SED, grep, or cut, to produce filtered and enhanced output.

For example, you can use the following command to list all logon events for a particular user, such as Gacanepa, and to send output to a. csv file that can be opened for viewing with text or workbook applications such as LibreOffice Calc or Microsoft Excel. Let's show only the PID, username, IP address, and timestamp:

The code is as follows:

# Utmpdump/var/log/wtmp | Grep-e "[7].*gacanepa] | Awk-v ofs= "," ' BEGIN {fs= '] '}; {print $2,$4,$7,$8} ' | Sed-e ' s/[//g '-e ' s/]//g '

As depicted in the three highlighted areas in the above picture, the filtering logic operation consists of three pipe steps. The first step is to find the logon event triggered by the user Gacanepa ([7]), and the second and third to select the desired field, remove the square brackets from the utmpdump output, and set the Output field delimiter to be a comma.

Of course, if you want to open it later, you need to redirect the above command output to the file (add ">[filename].csv" to the command).

In more complex cases, if you want to know which users (listed in/etc/passwd) are not logged in at a particular time, you can extract the user name from the/etc/passwd, and then run the grep command to get a list of the corresponding users in the/var/log/wtmp output. As you can see, there is an infinite possibility.

Before summarizing, let's briefly show another use of utmpdump: Modify Utmp or wtmp. Since these are binary log files, you can't edit them as if they were editing files. Instead, you can output the content to a text format, modify the text output, and then import the modified content back into the binary log. As follows:

The code is as follows:

# utmpdump/var/log/utmp > Tmp_output

< modify tmp_output> using a text editor

# utmpdump-r Tmp_output >/var/log/utmp

This is useful when you want to remove or repair any forged entries in the binary log.

The following is a short summary of the utmpdump from Utmp, wtmp and btmp log files or old, round-robin archives to supplement the deficiencies of standard tools such as WHO,W,UPTIME,LAST,LASTB, which makes it a great tool.