{"id":39,"date":"2007-10-28T07:55:32","date_gmt":"2007-10-27T23:55:32","guid":{"rendered":"http:\/\/www.sysadmindayph.com\/blog\/monitoring-user-logins-in-unix\/"},"modified":"2012-02-11T18:47:11","modified_gmt":"2012-02-11T10:47:11","slug":"monitoring-user-logins-in-unix","status":"publish","type":"post","link":"https:\/\/www.sysadmindayph.com\/blog\/monitoring-user-logins-in-unix\/","title":{"rendered":"Monitoring User Logins In UNIX"},"content":{"rendered":"<p>Here are some of the commands and files that you may want to check out if you want to monitor your users&#8217; login activity on a Unix box (BSD\/Solaris)<br \/>\n<script type=\"text\/javascript\"><!--\ngoogle_ad_client = \"ca-pub-8839128323193448\";\n\/* sysadmin-bigsquare *\/\ngoogle_ad_slot = \"0154488356\";\ngoogle_ad_width = 336;\ngoogle_ad_height = 280;\n\/\/-->\n<\/script><br \/>\n<script type=\"text\/javascript\"\nsrc=\"http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\">\n<\/script><\/p>\n<p>The concerned files (Solaris):<\/p>\n<ul>\n<li>\/var\/adm\/utmp(x)<\/li>\n<li>\/var\/adm\/wtmp(x)<\/li>\n<li>\/var\/adm\/lastlog<\/li>\n<\/ul>\n<p>The Commands:<br \/>\n<script type=\"text\/javascript\"><!--\ngoogle_ad_client = \"ca-pub-8839128323193448\";\n\/* sysadmin-bigsquare *\/\ngoogle_ad_slot = \"0154488356\";\ngoogle_ad_width = 336;\ngoogle_ad_height = 280;\n\/\/-->\n<\/script><br \/>\n<script type=\"text\/javascript\"\nsrc=\"http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\">\n<\/script><\/p>\n<ul>\n<li>users*<\/li>\n<li>who<\/li>\n<li>w<\/li>\n<li>ac*<\/li>\n<li>last<\/li>\n<li>*<em>may not be available in Solaris?<br \/>\n<\/em><\/li>\n<\/ul>\n<p><em>All sample outputs show on this post are from: `uname -a`<br \/>\n<\/em><\/p>\n<blockquote><p> SunOS unixbox 5.9 Generic sun4u sparc SUNW,Ultra-5_10<\/p><\/blockquote>\n<p><!--more--><\/p>\n<p><strong>utmp, wtmp and lastlog<\/strong><\/p>\n<p>First of all, these files are not regular text  files. Doing a <a href=\"http:\/\/www.sysadmindayph.com\/blog\/less-is-more\/\">more<\/a>, cat or <a href=\"http:\/\/www.sysadmindayph.com\/blog\/less-is-more\/\">less <\/a>on these files will only output garbage data.  Whenever users log in a (Solaris) box, these three files are read and updated.<\/p>\n<p><strong>The \/var\/adm\/lastlog File<br \/>\n<\/strong><\/p>\n<p>All the information of a user&#8217;s last log in are recorded or saved in this file. The utility that keeps track of these item is the login utility. When a user logs in, it will then update the file and make a new entry &#8211; that is, the new itme of the new login etc.<\/p>\n<p>Here&#8217;s a typical output when a user logs in:<\/p>\n<blockquote><p><span name=\"intelliTxt\" id=\"intelliTxt\"><code>login: razile<br \/>\nPassword:<\/code><\/span><\/p>\n<p><strong>Last login: Fri Oct 21 21:50:02 2007 from 210.2.9.1<\/strong><br \/>\nSun Microsystems Inc.   SunOS 5.9       Generic May 2002<br \/>\nrazile@unix-box %<\/p><\/blockquote>\n<p>Here&#8217;s what happening&#8230; The <em>login  <\/em>utility prompts for the username and waits for the password. If the authentication is successful, it will then read the \/var\/adm\/lastlog file to check when was the last time this particular user had logged in. And it looks like it&#8217;s on 21st of October from 210.2.9.1<\/p>\n<p><strong>The \/var\/adm\/utmp(x) File<\/strong><\/p>\n<p>The utmpx file contains information about users who are currently logged in.  Again, this is no ordinary text file and cannot be read by plain old less or more. To read this file, you could use any of the following: <strong>w<\/strong>, <strong>who <\/strong>or <strong>users<\/strong>.<\/p>\n<blockquote><p>users in Solaris can be found by default on the \/usr\/ucb directory<\/p><\/blockquote>\n<p><strong>users <\/strong>command can be used to plainly see who are currently online. Not much info are show but who is logged in.<\/p>\n<blockquote><p> # \/usr\/ucb\/users<br \/>\nrazile root amkor nav 100serv<br \/>\n#<\/p><\/blockquote>\n<p><strong>w<\/strong> shows a much more detailed view of the users who are logged in the system.<\/p>\n<blockquote><p># w<br \/>\n1:55am  2 users,  load average: 0.04, 0.02, 0.02<br \/>\nUser     tty           login@  idle   JCPU   PCPU  what<br \/>\nrazile pts\/2         1:51am     3                w<br \/>\nroot     pts\/9        Tue 9pm 2days                bash<br \/>\nroot     pts\/7        27Jul0745days      6         \/sbin\/sh<br \/>\nroot     pts\/8        10Aug0778days                \/sbin\/sh<\/p><\/blockquote>\n<p>The output shows that there are currently 2 users logged in the machine &#8211; razile and root &#8211; with root using 2 terminals and razile pts\/2. Take note of the last column. It&#8217;s shows what was the command being executed by the user.<\/p>\n<p>The <strong>who <\/strong>command has almost the same output as <strong>w<\/strong> but without the last executed command unlike what was shown above.<\/p>\n<blockquote><p> # who<br \/>\nrazile     pts\/2        Oct 27 01:51    (21.2.10.1)<br \/>\nroot       pts\/9        Oct 23 21:14      (10.160.153.234)<br \/>\nroot       pts\/7        Jul 27 14:05      (:0.0)<br \/>\nroot       pts\/8        Aug 10 11:37     (:0.0)<\/p><\/blockquote>\n<p>What the last column shows here is the computer where the user connected from instead of the command executed.<\/p>\n<p><strong>who  <\/strong>can also take an argument. For example, you want to see content of \/var\/adm\/wtmpx instead of the default (for who) \/var\/adm\/utmpx:<\/p>\n<blockquote><p># who \/var\/adm\/wtmpx<\/p><\/blockquote>\n<p><strong>last <\/strong>is the command that looks into the \/var\/adm\/wtmpx by default. <strong>Last <\/strong> will list the sessions of specified users, ttys, and hosts, in reverse time order, that is the latest entry first unlike if you use <strong>who <\/strong> on wtmpx &#8211; it will display the oldest entry first.<\/p>\n<blockquote><p>razile@unixbox-&gt;who \/var\/adm\/wtmpx | more<br \/>\nuser1    ftp3800      Oct 26 23:45    (nfsbox            )<br \/>\nuser2   ftp3980      Oct 27 00:00    (63.166.216.16)<br \/>\nuser5    ftp3990      Oct 27 00:02    (nfsbox            )<br \/>\nuser9    ftp3991      Oct 27 00:02    (192.88.168.35)<br \/>\nuser8    ftp3992      Oct 27 00:02    (nfsbox            )<\/p>\n<p>razile@unixbox-&gt;last | more<br \/>\nuser1   ftp          nfsbox            Sat Oct 27 02:31 &#8211; 02:32  (00:00)<br \/>\nuser2   ftp          nfsbox            Sat Oct 27 02:24 &#8211; 02:25  (00:00)<br \/>\nuser5   ftp          nfsbox            Sat Oct 27 02:19 &#8211; 02:19  (00:00)<br \/>\nuser9   ftp          nfsbox            Sat Oct 27 02:18 &#8211; 02:19  (00:00)<br \/>\nuser8   ftp          nfsbox            Sat Oct 27 02:18 &#8211; 02:18  (00:00)<\/p><\/blockquote>\n<p><span name=\"intelliTxt\" id=\"intelliTxt\">The utilities<strong> <code>w<\/code>, <code>who<\/code>, <\/strong>and <strong><code>users<\/code> <\/strong>display information contained in the file <strong><code>\/var\/run\/utmp<\/code>;<\/strong> the utilities <strong><code>last<\/code> <\/strong>and <strong><code>ac<\/code> <\/strong>display the information contained in <strong><code>\/var\/log\/wtmp<\/code>.<\/strong><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here are some of the commands and files that you may want to check out if you want to monitor your users&#8217; login activity on a Unix box (BSD\/Solaris) The concerned files (Solaris): \/var\/adm\/utmp(x) \/var\/adm\/wtmp(x) &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,3],"tags":[],"class_list":["post-39","post","type-post","status-publish","format-standard","hentry","category-tips","category-unix"],"_links":{"self":[{"href":"https:\/\/www.sysadmindayph.com\/blog\/wp-json\/wp\/v2\/posts\/39","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sysadmindayph.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sysadmindayph.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sysadmindayph.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sysadmindayph.com\/blog\/wp-json\/wp\/v2\/comments?post=39"}],"version-history":[{"count":1,"href":"https:\/\/www.sysadmindayph.com\/blog\/wp-json\/wp\/v2\/posts\/39\/revisions"}],"predecessor-version":[{"id":303,"href":"https:\/\/www.sysadmindayph.com\/blog\/wp-json\/wp\/v2\/posts\/39\/revisions\/303"}],"wp:attachment":[{"href":"https:\/\/www.sysadmindayph.com\/blog\/wp-json\/wp\/v2\/media?parent=39"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sysadmindayph.com\/blog\/wp-json\/wp\/v2\/categories?post=39"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sysadmindayph.com\/blog\/wp-json\/wp\/v2\/tags?post=39"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}