|
Gap in logs
Hi,
I am attempting to analyze logs on a fedora box. This machine is controlled remotely via SSH, and I would like to be able to view all users that have successfully logged in. I have looked at the logs contained in /var/log, specifically "secure", "secure.1", "secure.2..." as well as wtmp and wtmp.1 (via last -f) however there is a gap in the logs. The gap in the logs doesn't quite match. The wtmp.1 log ends at Jan 30 and ends at Feb 12 (wtmp). The gap in the secure logs starts at Feb 4th and ends on the 12th. The log that should contain all the logins is secure.2, and it only has 3 login records. Is there anyway to recover this gap? thnx |
Let's define the scope first. Do you suspect tampering?
|
| All times are GMT -5. The time now is 08:29 AM. |