It is one of the most basic and important tasks for Linux system administrators to keep, maintain and analyze logs (such as account events that happened or are happening in a specific period). For user management, checking the login and logout logs of users (whether failed or successful) can keep us alert to any potential security risks or unauthorized use of the system. For example, remote logins from unknown IP addresses or accounts outside working hours or during holidays should issue a red alert.
On the CentOS system, user login history is stored in the following files:
- / var / run / utmp (used to record the current open session) is used by who and W tools to record who is currently logged in and what they are doing, while uptime is used to record the system startup time.
/ var / log / wtmp (for storage system connection History) is used by the last tool to record the list of last logged in users.
/ var / log / BTMP (log failed login attempts) is used by lastb tool to record the list of last failed login attempts.
In this article, I’ll show you how to use utmpdump, a small program from the sysvinit tools package that can be used to dump binary log files into text format files for inspection. This tool is available on CentOS 6 and 7 series by default. The information collected by utmpdump is more comprehensive than the output of the tool mentioned earlier, which makes it a good tool for the job. In addition, utmpdump can be used to modify utmp or wtmp. It can be useful if you want to fix any broken entries in the binary log.
Use and output of utmpdump
As we mentioned earlier, compared with other logs that most of us are familiar with (such as / var / log / messages, / var / log / cron, / var / log / maillog), these log files are stored in binary format, so we can’t use file commands like less or more to view their contents. So the emergence of utmpdump saves the world.
To display the contents of / var / run / utmp, run the following command:
The code is as follows:
Similarly, to display the contents of / var / log / wtmp:
The code is as follows:
<img alt=”2015618162412689.jpg (640×204)” src=”// img.jbzj.com/file_ images/article/201506/2015618162412689.jpg?2015518162420″ /></p>
As you can see, the output results in the three cases are the same, except that the records of utmp and BTMP are in chronological order, while the order of wtmp is reversed.
Each log line is formatted into multiple columns as follows. The first field shows the session ID, while the second field is PID. The third field can be the following values: – – (indicates the operation level change or system restart), BW (starts the waiting process), number (indicates TTY number), or character and number (indicates pseudo terminal). The fourth field can be empty or user name, restart or run level. The fifth field is the master TTY or Pty (pseudo terminal), if this information is available. The sixth field is the remote host name (if it is a local login, the field is empty, except for the run level information, which returns the kernel version). The seventh field is the IP address of the remote system (0.0.0.0 for local login). If DNS resolution is not provided, the sixth and seventh fields will display the same information (IP address of the remote system). The last (eighth) field indicates the date and time the record was created.
Example of using utmpdump
Here are some simple uses of utmpdump.
1. Check the number of logins for a specific user (such as gacanepa) between August 18 and September 17.
The code is as follows:
If you need to review the login information of the previous date, you can check the wtmp yyyymmdd (or wtmp. [1… N]) and BTMP yyyymmdd (or BTMP. [1… N]) files under / var / log. These are the old wtmp and BTMP archives generated by logrotate.
2. Count the number of logins from IP address 192.168.0.101.
The code is as follows:
3. Displays failed login attempts.
The code is as follows:
In the / var / log / BTMP output, each log line is associated with a failed login attempt (such as using an incorrect password or a non-existent user ID). The highlight in the picture above shows logging in with a non-existent user ID, which warns you that someone is trying to guess a common account name to break into the system. This is an extremely serious problem with tty1, because it means someone has access to the terminal on your machine (it’s time to check who has the key to your data center, maybe?)
4. Displays login and logout information for each user session
The code is as follows:
In / var / logwtmp, the feature of a new login event is that the first field is “7”, the third field is a terminal number (or pseudo terminal ID), and the fourth field is user name. The related logout event will display “8” in the first field, the same PID as login will be displayed in the second field, and the terminal number field will be blank. For example, look closely at the line of PID 1463 in the picture above.
- The login prompt is displayed on [fri SEP 19 11:57:40 2014 art], tty1.
In [fri SEP 19 12:04:21 2014 art], the user root logs in.
In [fri SEP 19 12:07:24 2014 art], the user root logs out.
Side note: the login in the fourth field means that a prompt to log in to the terminal specified in the fifth field appears.
So far, I’ve introduced some trivial examples. You can combine utmpdump with other text processing tools such as awk, SED, grep or cut to produce filtered and enhanced output.
For example, you can use the following command to list all login events for a specific user (such as gacanepa) and send the output to a. CSV file, which can be opened and viewed with a text or workbook application such as libreoffice Calc or Microsoft Excel. Let’s just show PID, user name, IP address and timestamp:
The code is as follows:
As depicted by the three highlighted areas in the picture above, the filtering logic consists of three pipeline steps. The first step is used to find the login event triggered by gacanepa ([7]); the second and third steps are used to select the desired field, remove the square brackets of utmpdump output and set the output field separator to comma.
Of course, if you want to open it later, you need to redirect the output of the above command to a file (add “> [file name]. CSV” after the command).
In a more complex example, if you want to know which users (listed in / etc / passwd) are not logged in at a specific time, you can extract the user name from / etc / passwd and run the grep command to get the list of corresponding users in the / var / log / wtmp output. As you can see, there are infinite possibilities.
Before concluding, let’s briefly show another use of utmpdump: modifying utmp or wtmp. Because these are binary log files, you can’t edit them as you edit files. Instead, you can output the content as text, modify the text output, and then import the modified content back into the binary log. As follows:
The code is as follows:
< modify TMP with text editor_ output>
# utmpdump -r tmp_output > /var/log/utmp
This is useful when you want to remove or fix any forged entries in the binary log.
In the following summary, utmpdump reads detailed login events from utmp, wtmp and BTMP log files or old round file archives to supplement the shortcomings of standard tools such as who, W, uptime, last and lastb, which also makes it a great tool.