Develop Paper
  • Program
  • Server
  • Development Tool
  • Blockchain
  • Database
  • Artificial Intelligence
Position: Home > Blogs > OS > Linux > Content

Method of viewing user login record on CentOS system

Time:2021-2-23

It is one of the most basic and important tasks for Linux system administrators to keep, maintain and analyze logs (such as account events that happened or are happening in a specific period). For user management, checking the login and logout logs of users (whether failed or successful) can keep us alert to any potential security risks or unauthorized use of the system. For example, remote logins from unknown IP addresses or accounts outside working hours or during holidays should issue a red alert.
On the CentOS system, user login history is stored in the following files:

  • / var / run / utmp (used to record the current open session) is used by who and W tools to record who is currently logged in and what they are doing, while uptime is used to record the system startup time.
    / var / log / wtmp (for storage system connection History) is used by the last tool to record the list of last logged in users.
    / var / log / BTMP (log failed login attempts) is used by lastb tool to record the list of last failed login attempts.

2015618162327699.png (309×132)

In this article, I’ll show you how to use utmpdump, a small program from the sysvinit tools package that can be used to dump binary log files into text format files for inspection. This tool is available on CentOS 6 and 7 series by default. The information collected by utmpdump is more comprehensive than the output of the tool mentioned earlier, which makes it a good tool for the job. In addition, utmpdump can be used to modify utmp or wtmp. It can be useful if you want to fix any broken entries in the binary log.
Use and output of utmpdump

As we mentioned earlier, compared with other logs that most of us are familiar with (such as / var / log / messages, / var / log / cron, / var / log / maillog), these log files are stored in binary format, so we can’t use file commands like less or more to view their contents. So the emergence of utmpdump saves the world.

To display the contents of / var / run / utmp, run the following command:

   

Copy code

The code is as follows:

# utmpdump /var/run/utmp

2015618162351494.jpg (640×137)

Similarly, to display the contents of / var / log / wtmp:

   

Copy code

The code is as follows:

# utmpdump /var/log/wtmp | tail -15[code]
<img alt=”2015618162412689.jpg (640×204)” src=”// img.jbzj.com/file_ images/article/201506/2015618162412689.jpg?2015518162420″ /></p>

    2015618162431251.jpg (640×67)

As you can see, the output results in the three cases are the same, except that the records of utmp and BTMP are in chronological order, while the order of wtmp is reversed.

Each log line is formatted into multiple columns as follows. The first field shows the session ID, while the second field is PID. The third field can be the following values: – – (indicates the operation level change or system restart), BW (starts the waiting process), number (indicates TTY number), or character and number (indicates pseudo terminal). The fourth field can be empty or user name, restart or run level. The fifth field is the master TTY or Pty (pseudo terminal), if this information is available. The sixth field is the remote host name (if it is a local login, the field is empty, except for the run level information, which returns the kernel version). The seventh field is the IP address of the remote system (0.0.0.0 for local login). If DNS resolution is not provided, the sixth and seventh fields will display the same information (IP address of the remote system). The last (eighth) field indicates the date and time the record was created.
Example of using utmpdump

Here are some simple uses of utmpdump.

1. Check the number of logins for a specific user (such as gacanepa) between August 18 and September 17.

   

Copy code

The code is as follows:

# utmpdump /var/log/wtmp | grep gacanepa

    2015618162449957.jpg (640×152)

If you need to review the login information of the previous date, you can check the wtmp yyyymmdd (or wtmp. [1… N]) and BTMP yyyymmdd (or BTMP. [1… N]) files under / var / log. These are the old wtmp and BTMP archives generated by logrotate.

2. Count the number of logins from IP address 192.168.0.101.

   

Copy code

The code is as follows:

# utmpdump /var/log/wtmp | grep 192.168.0.101

    2015618162513926.jpg (640×190)

3. Displays failed login attempts.

   

Copy code

The code is as follows:

# utmpdump /var/log/btmp

    2015618162536507.jpg (640×167)

In the / var / log / BTMP output, each log line is associated with a failed login attempt (such as using an incorrect password or a non-existent user ID). The highlight in the picture above shows logging in with a non-existent user ID, which warns you that someone is trying to guess a common account name to break into the system. This is an extremely serious problem with tty1, because it means someone has access to the terminal on your machine (it’s time to check who has the key to your data center, maybe?)

4. Displays login and logout information for each user session

  

Copy code

The code is as follows:

# utmpdump /var/log/wtmp

    2015618162601927.jpg (640×121)

In / var / logwtmp, the feature of a new login event is that the first field is “7”, the third field is a terminal number (or pseudo terminal ID), and the fourth field is user name. The related logout event will display “8” in the first field, the same PID as login will be displayed in the second field, and the terminal number field will be blank. For example, look closely at the line of PID 1463 in the picture above.

  • The login prompt is displayed on [fri SEP 19 11:57:40 2014 art], tty1.
    In [fri SEP 19 12:04:21 2014 art], the user root logs in.
    In [fri SEP 19 12:07:24 2014 art], the user root logs out.

Side note: the login in the fourth field means that a prompt to log in to the terminal specified in the fifth field appears.

So far, I’ve introduced some trivial examples. You can combine utmpdump with other text processing tools such as awk, SED, grep or cut to produce filtered and enhanced output.

For example, you can use the following command to list all login events for a specific user (such as gacanepa) and send the output to a. CSV file, which can be opened and viewed with a text or workbook application such as libreoffice Calc or Microsoft Excel. Let’s just show PID, user name, IP address and timestamp:

   

Copy code

The code is as follows:

# utmpdump /var/log/wtmp | grep -E “\[7].*gacanepa” | awk -v OFS=”,” ‘BEGIN {FS=”] “}; {print $2,$4,$7,$8}’ | sed -e ‘s/\[//g’ -e ‘s/\]//g’

   2015618162623494.jpg (640×136)

As depicted by the three highlighted areas in the picture above, the filtering logic consists of three pipeline steps. The first step is used to find the login event triggered by gacanepa ([7]); the second and third steps are used to select the desired field, remove the square brackets of utmpdump output and set the output field separator to comma.

Of course, if you want to open it later, you need to redirect the output of the above command to a file (add “> [file name]. CSV” after the command).
2015618162642537.jpg (640×326)

In a more complex example, if you want to know which users (listed in / etc / passwd) are not logged in at a specific time, you can extract the user name from / etc / passwd and run the grep command to get the list of corresponding users in the / var / log / wtmp output. As you can see, there are infinite possibilities.

Before concluding, let’s briefly show another use of utmpdump: modifying utmp or wtmp. Because these are binary log files, you can’t edit them as you edit files. Instead, you can output the content as text, modify the text output, and then import the modified content back into the binary log. As follows:

   

Copy code

The code is as follows:

# utmpdump /var/log/utmp > tmp_output
< modify TMP with text editor_ output>
# utmpdump -r tmp_output > /var/log/utmp

This is useful when you want to remove or fix any forged entries in the binary log.

In the following summary, utmpdump reads detailed login events from utmp, wtmp and BTMP log files or old round file archives to supplement the shortcomings of standard tools such as who, W, uptime, last and lastb, which also makes it a great tool.

Tags: centos, Log in record

Recommended Today

Lesson 5 vuex after reading this, you will

Like Vue router, vuex is the core plug-in of Vue. It is the state management of Vue. For the value transfer between cross components, these values can be put into the state state for management 1. State usage In Lecture 2, I have modified the Src / store folder. Here, I will start with Src […]

  • Creating swap partition in Linux
  • Linux system basic memory management knowledge explanation
  • How to get temporary root permission for desktop version of CentOS system
  • Talking about the difference between Linux script SH and. /
  • Secure audit violence landing
  • Details of Gentoo system installation steps
  • Installation of eclipse on CentOS system
  • How to install and configure jetty in Linux
  • Talking about virtual memory
  • How to install and use screen, a remote session management tool for CentOS 7 system?
Pre: Mkdoc | go tool to wasm
Next: Unity realizes the registration and login module

    Tags

    address algorithm android array assembly attribute Browser c Catalog Character string Client code command configuration file css data Database data base Edition element Example file function html html5 ios java javascript linux Memory method mysql node object page parameter php Plug-in unit project python Route source code The server Thread user

    Recent Posts

    • Lesson 5 vuex after reading this, you will
    • 009 rust network programming, serialization and deserialization
    • A few lines of code, easy to achieve target detection and image classification tasks — build enterprise level machine learning micro service based on spring boot and djl
    • front end mobileWindow.js The 0.0.1 version of the framework was officially released, and its shortcomings are expected to be pointed out
    • Integration of springboot and Shiro privilege management

    Recent Comments

    • Humphry on Answer for The choice of Web picture format
    • Humphry on Answer for The choice of Web picture format
    • You long Xiang Falcon on Answer for What does @ in import from in the ES6 version of JavaScript mean?
    • 154538022 on Answer for What does @ in import from in the ES6 version of JavaScript mean?
    • yech on Answer for How to configure atom as a markdown editor?

    Categories

    • .NET Core
    • Agile Development
    • Android
    • Apple MAC
    • Architecture Design
    • Artificial Intelligence
    • ASP.NET
    • Blockchain
    • C
    • C#
    • C++
    • Database
    • Development Tool
    • Embedded
    • Erlang
    • Freshman
    • Golang
    • HTML/CSS
    • HTML5
    • Information Security
    • IOS
    • Java
    • JavaScript
    • JSP
    • Linux
    • MongoDB
    • MsSql
    • MySql
    • OOP
    • oracle
    • Other DB
    • Other Technology
    • Perl
    • PHP
    • Program
    • Python
    • Redis
    • Regular Expression
    • Ruby
    • Rust
    • SAP
    • Server
    • VBS
    • VUE
    • WEB Front End
    • Windows
    • XML/XSLT
  • java
  • php
  • python
  • linux
  • windows
  • android
  • ios
  • mysql
  • html
  • .net
  • github
  • node.js

Copyright © 2021 Develop Paper All Rights Reserved   

  Sitemap    About DevelopPaper    Privacy Policy    Contact Us