LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-22-2014, 09:37 PM   #31
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0

Quote:
Originally Posted by frankbell View Post
As an aside, it might be a good idea to look into using logrotate to manage old log files, rather than managing them manually.

You could then store the archives created by logrotate in the event they need to be audited.
Great idea, something we might have to think about after I can solve this current issue
 
Old 10-22-2014, 09:39 PM   #32
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by suicidaleggroll View Post
yes
Great to know, thanks much.

What about pyuTTy? Where does the logins via ssh get recorded if he uses puTTy? Thanks again
 
Old 10-22-2014, 09:41 PM   #33
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,508

Rep: Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102
As I mentioned before, the specific ssh client application he uses is irrelevant. His client application is not the one creating the log entry. Your server's ssh daemon is the one creating the log entry, and it also happens to be the one that's accepting connections. So it doesn't matter what client application he uses to connect from. If your server's ssh daemon accepts a connection, it logs it in /var/log/secure. That's all that matters.

Last edited by suicidaleggroll; 10-22-2014 at 09:43 PM.
 
Old 10-22-2014, 09:47 PM   #34
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by suicidaleggroll View Post
As I mentioned before, the specific ssh client application he uses is irrelevant. His client application is not the one creating the log entry. Your server's ssh daemon is the one creating the log entry, and it also happens to be the one that's accepting connections. So it doesn't matter what client application he uses to connect from. If your server's ssh daemon accepts a connection, it logs it in /var/log/secure. That's all that matters.
You are the best, thanks. Yes my server accepts ssh login attempts. I never changed the default but almost all the secure.x files since 10 years ago are gone. But when I see the lastlog entries, I see one or two entries each months for this root user, how come those are not gone when all the secure.x files were removed?
 
Old 10-22-2014, 11:11 PM   #35
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,508

Rep: Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102
My guess is the secure.X log files are either on a more aggressive rotation schedule, or they fill up so much quicker that they're rotated out more often.
 
Old 10-23-2014, 08:28 PM   #36
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by suicidaleggroll View Post
My guess is the secure.X log files are either on a more aggressive rotation schedule, or they fill up so much quicker that they're rotated out more often.
Thanks, but what I can't understand is how come some of the old enteries (from years ago) can be found in the lastlog but the newer ones are not there...
 
Old 10-23-2014, 09:50 PM   #37
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,702

Rep: Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270
Quote:
Originally Posted by tezarin View Post
He is using SCP, have probably no cron set up, he told me before that he moves files to his machine all the time. Wouldn't those logins for manual file transferring be recorded in lastlog?
Scp does NOT use a terminal - thus lastlog will not show a login.

sshd will only log a session (whether interactive or not) if it is so configured. I suggest looking in the messages file (unless you have configured them to go elsewhere).
 
Old 10-23-2014, 09:57 PM   #38
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,508

Rep: Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102
Quote:
Originally Posted by tezarin View Post
Thanks, but what I can't understand is how come some of the old enteries (from years ago) can be found in the lastlog but the newer ones are not there...
What makes you think they're not? Remember, scp connections do not show up in lastlog in the first place.

To be honest I've never used lastlog. I never even knew it existed before this thread. I always just use /var/log/secure on my CentOS systems, and since it includes both ssh and scp connections it's more useful to me anyway. If you want to look at both ssh and scp connections, then just forget lastlog even exists and focus on /var/log/secure.
 
Old 10-23-2014, 10:24 PM   #39
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,702

Rep: Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270
Quote:
Originally Posted by tezarin View Post
Thanks, but what I can't understand is how come some of the old enteries (from years ago) can be found in the lastlog but the newer ones are not there...
From the manpage:

Code:
FILES
       /var/log/lastlog
           Database times of previous user logins.

CAVEATS
       Large gaps in UID numbers will cause the lastlog program to run longer
       with no output to the screen (i.e. if in lastlog database there is no
       entries for users with UID between 170 and 800 lastlog will appear to
       hang as it processes entries with UIDs 171-799).
Lastlog is not a rotating file... It contains one record per UID for interactive logins. Each entry gets reused/updated when the user logs in. Since the file is a (relatively) fixed length, there is no need to rotate it. Because it never gets rotated/deleted, old entries will remain forever until the UID is reused.
 
Old 10-24-2014, 09:01 AM   #40
ilesterg
Member
 
Registered: Jul 2012
Distribution: Arch, Debian, and CentOS/RHEL
Posts: 539

Rep: Reputation: 56
If you use Putty, you can configure it such that it sends keepalives every 30 minutes, for example. Hence, the user might only actually have to login very rarely. Again, you still have to provide proof that they login "many times a day".
 
Old 10-25-2014, 04:19 PM   #41
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Thanks much everyone, I will take notes of everything and present to the management.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Trace of runtime activities in UNIX ankitspy Linux - Newbie 2 03-28-2011 06:48 PM
Trouble transferring files from a Windows box to a UNIX box. BreakTheWindows2008 Linux - Software 4 08-15-2008 09:10 PM
Apache access+log can't trace a particular PC at second times SquallPang Linux - Security 1 12-27-2006 05:58 PM
securing a linux box...how 2 trace the hacking culprit fhameed Linux - Security 15 01-22-2004 06:47 PM
Linux Box crashes with no trace in syslog eDubster Linux - General 2 05-19-2003 03:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration