[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: User logins not appearing in wtmp?



On Wed, 06 Jun 2012 11:36:09 -0300, francis picabia wrote:

> Today I see from logwatch report 28 sshd logins from one user at an IP
> address in a different continent than usually seen here.
> 
> When I look up this user with last command to see if this is part of a
> travel pattern or perhaps their account is compromised, I don't get any
> matches. I've used last and last -f /var/log/wtmp.1 with the user name
> and there are no matches.

OpenSSH logins fall under "/var/log/auth*" logs.
 
> Yet finger shows a login from Apr 24, which jives with their last
> .bash_history update
> 
> One way this could happen is by use of sftp/scp.  Is there a way to get
> last to record these sessions as well?

Mmm... any specific reason for wanting these logs available within 
wtmp? :-?

Greetings,

-- 
Camaleón


Reply to: