Shulou(Shulou.com)06/01 Report--

CentOS system how to view user login records, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

On CentOS systems, the user login history is stored in the following files:

/ var/run/utmp (used to record the currently open session) is used by the who and w tools to record who is currently logged in and what they are doing, while uptime is used to record the system startup time.

/ var/log/wtmp (for storing system connection history) is used by the last tool to record a list of the last users who logged in.

/ var/log/btmp (record failed login attempts) is used by the lastb tool to record a list of last failed login attempts.

In this article, I'll show you how to use utmpdump, a Mini Program from the sysvinit-tools package that can be used to dump binary log files to text files for inspection. This tool is available by default on CentOS 6 and 7 series. The information collected by utmpdump is more comprehensive than the output of the tool mentioned earlier, which makes it a good tool for the job. In addition, utmpdump can be used to modify utmp or wtmp. It can be useful if you want to fix any corrupted entries in the binary log. (LCTT Note: why do I think this is like a prelude to something bad? ).

The use of Utmpdump and its output description

As we mentioned earlier, these log files are stored in binary format compared to other logs that most of us are familiar with (such as / var/log/messages,/var/log/cron,/var/log/maillog), so we can't use file commands like less or more to view their contents. So the emergence of utmpdump saved the world.

To display the contents of / var/run/utmp, run the following command:

The code is as follows:

# utmpdump / var/run/utmp

Also to display the contents of / var/log/wtmp:

The code is as follows:

# utmpdump / var/log/wtmp | tail-15 [code]

Finally, for / var/log/btmp:

[code] # utmpdump / var/log/btmp

As you can see, the output is the same in all three cases, except that the records of utmp and btmp are sorted by time, while the order of wtmp is reversed. (LCTT translation note: there is an error in the original text here, it is actually arranged in chronological order).

Each log line is formatted into multiple columns, as described below. The first field shows the session identifier, while the second field is PID. The third field can be the following values:-(indicating a change in running level or system restart), bw (starting a waiting process), a number (representing a TTY number), or characters and numbers (representing a pseudo terminal). The fourth field can be empty or user name, restart, or runlevel. The fifth field is the main TTY or PTY (pseudo terminal), if this information is available. The seventh field is the IP address of the remote system (0.0.0.0 for local login). If DNS parsing is not provided, the sixth and seventh fields display the same information (the IP address of the remote system). The last (eighth) field indicates the date and time the record was created.

Sample usage of Utmpdump

Here are some simple uses of utmpdump.

1. Check the number of logins for a particular user, such as gacanepa, between August 18 and September 17.

The code is as follows:

# utmpdump / var/log/wtmp | grep gacanepa

If you need to review login information from previous dates, you can check the wtmp-YYYYMMDD (or wtmp. [1... N]) and btmp-YYYYMMDD (or btmp. [1... N]) files under / var/log, which are old wtmp and btmp archives generated by logrotate.

2. Count the number of logins from IP address 192.168.0.101.

The code is as follows:

# utmpdump / var/log/wtmp | grep 192.168.0.101

3. Display failed login attempts.

The code is as follows:

# utmpdump / var/log/btmp

In the / var/log/btmp output, each log line is associated with a failed login attempt (such as using an incorrect password or a user ID that does not exist). The highlighted portion of the image above shows logging in with a non-existent user ID, which warns you that someone is trying to guess a common account name to break into the system. This is an extremely serious problem when using tty1, because it means that someone has access to the terminal on your machine (it's time to check who has the key to your data center, maybe? )

4. Display login and logout information for each user session

The code is as follows:

# utmpdump / var/log/wtmp

In / var/logwtmp, a new login event is characterized by the first field being '7login, the third field being a terminal number (or pseudo terminal id), and the fourth field being the user name. The associated logout event displays' 8login in the first field, the same PID as the login in the second field, and the terminal number field is blank. For example, take a closer look at the line of PID 1463 in the picture above.

On [Fri Sep 19 11:57:40 2014 ART], a login prompt is displayed on the TTY1.

At [Fri Sep 19 12:04:21 2014 ART], the user root logged in.

At [Fri Sep 19 12:07:24 2014 ART], the user root logs out.

Side note: the LOGIN in the fourth field means that there is a prompt to log in to the terminal specified in the fifth field.

So far, I'd like to introduce some trivial examples. You can combine utmpdump with other text processing tools, such as awk, sed, grep, or cut, to produce filtered and enhanced output.

For example, you can use the following command to list all login events for a particular user (such as gacanepa) and send the output to a .csv file, which can be opened with text like LibreOffice Calc or Microsoft Excel or a workbook application. Let's just display the PID, user name, IP address, and timestamp:

The code is as follows:

As depicted in the three highlighted areas in the image above, the filtering logic operation consists of three pipeline steps. The first step is to find the login event triggered by the user gacanepa ([7]); the second and third steps are used to select the desired field, remove the square brackets from the utmpdump output and set the output field delimiter to a comma.

Of course, if you want to open it later, you need to redirect the above command output to the file (add "> [filename] .csv" to the end of the command).

In a more complex example, if you want to know which users (listed in / etc/passwd) are not logged in at a particular time, you can extract the user name from / etc/passwd and run the grep command to get a list of corresponding users in the / var/log/wtmp output. As you can see, there are infinite possibilities.

Before we summarize, let's briefly show another use of utmpdump: modifying utmp or wtmp. Since these are binary log files, you cannot edit them the same way you edit them. Instead, you can output its content in text format, modify the text output, and then import the modified content back into the binary log. As follows:

The code is as follows:

# utmpdump / var/log/utmp > tmp_output

# utmpdump-r tmp_output > / var/log/utmp

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.