How can i trace users in Linux ?
 

Dears,,

Please,If someone shutdown the server or make any abnormal command.
From where can i trace this user or trace the machine that connected to that Linux server and accessed it?

Thanks & Regards,,

How was the computer accessed? if ssh, you could just look the log file(that depends on your linux distribution, in debian we use /var/log/auth.log), and it will tell who did "sudo halt" from his account, or who used the "su" command (to become root and shut down the computer) last.

Dear,,


If the user access the Linux server by putty or by VNC
From where can i trace this user?
I used Red Hat Enterprise Linux
From where can i find auth.log ?

Dear..
I already knew which IP address that was connected to the server before shutting down.
From where can i know that this IP who made shutdown?

Regards,,

"putty" is not a method, is a program for windows to use "ssh"/linux terminal. I've never used VNC so don't really know.

But you say you already have the IP of the person you want to find(?), right? Then the rest is simple. Go go an IP tracing/whois site like http://network-tools.com and type that IP address, select "whois" and click GO. It will tell you the country and every data possible from that IP. Probably some e-mail address to which you can contact to complain(the ISP's e-mail address), if in your country, you maybe can even go to the police and sue the guy or something.

Dear,,

Let me explain more . . .
I used last command ( It give me this result )
root pts/5 :0.0 Sun May 17 16:26 - 16:26 (00:00)
root pts/5 :0.0 Sun May 17 16:23 - 16:24 (00:00)
root pts/4 150.150.101.16 Sun May 17 15:31 - down (00:56)

So 150.150.101.16 was the last one while server is shutting down
but i can not say that this IP who make shutdown for server
My question: How can i decide that this IP who make shutdown.

Thanks,,

All right. If you have a Red Hat can't you just ask the guys who sold it to you where are the log files for that or something? Maybe someone who uses RH will answer you from here anyway.
In my case, as I told you, using Debian, if I wanted to do something like that, I'd check my /var/log/auth.log file. It gives an output like this:

"May 10 16:32:40 myserver sudo: user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/sbin/halt"

Which clearly tells me everything I need to know. You may want to check you log fies (maybe somewhere on some /var directory?), or read the manuals of your distribution to check where they are[or try 'find / -name "*log" ' and pray you get lucky].

I would just allow users to use sudo and setup sudo to log everything that goes on so that you are able to track everything rather than just shutdowns.

Good sudo tutorial:
http://www.debianadmin.com/providing...sing-sudo.html

Isnt' that what I'm showing to this guy? In my example I'm showing him how the actual log looks like (it's registering who run and what was run on sudo).

you mean this?

does not look like sudo, all my sudo logs look like