0

I'm want to get some logs from my server, but not general logs like syslog that gives me a lot of random logs. I want to know how I can get logs of things like logins(with time, IP and username), commands that the user ran, process running at the time and things like this.

Nathan Campos
  • 241
  • 2
  • 11

3 Answers3

1

For logins: look at the last command.

For what commands they ran: look at the lastcomm command. Additionally, any privileged command run with sudo will be in the system logs.

Chad Feller
  • 776
  • 5
  • 6
  • Is there any way to make a routine to log each command, even without using `sudo`? – Nathan Campos Aug 21 '11 at 02:05
  • 1
    as root, just run `lastcomm user`. In RHEL and Fedora, `lastcomm` is part of the "psacct" package. In Debian, it is part of the "acct" package. – Chad Feller Aug 21 '11 at 02:13
  • I can use the `last` command like this: `nohup last &` so I can make a history file, or it has any restrictions? – Nathan Campos Aug 21 '11 at 02:26
  • This history is already logged. `last` just reads /var/log/wtmp by default. If you type `last -f /var/log/wtmp`, you should see the same output as if you type `last` w/ no args. If you need to read a previous (rotated) `wtmp` file, just use that as an argument instead. e.g., `last -f /var/log/wtmp-20110801`. If you need to keep longer logs, just change your log rotation schedules. – Chad Feller Aug 21 '11 at 02:40
1

To log commands run by people, you need to enable Linux Process Accounting. This should be in a package named acct (on Debian, probably something similar on redhat-based distributions), and comes in two pieces. The first is accton which is a command run at boot that tells the kernel to log everything that runs (your package should set this up for you). The other part is a collection of utilities that read the log file and print useful information from it. On Debian this includes

  • dump-acct which decodes the binary log file and dumps the data as text
  • sa which does more-or-less the same but focuses on extracting programs run.
  • lastcomm which dumps the log for a specific terminal, user, or command.

And a few others for figuring out how long people were connected. You'll need to decide what exactly you want to get from the logs, since a lot of stuff is recorded, but this site has some examples of things you can do.

DerfK
  • 19,493
  • 2
  • 38
  • 54
0

What exactly are you trying to accomplish? You might want to enable the BASH-history feature and enable timestamps there. But this will not give you the processes running at a certain time.

Nils
  • 7,695
  • 3
  • 34
  • 73