Re: User logins not appearing in wtmp?
On Wed, 06 Jun 2012 11:36:09 -0300, francis picabia wrote:
> Today I see from logwatch report 28 sshd logins from one user at an IP
> address in a different continent than usually seen here.
>
> When I look up this user with last command to see if this is part of a
> travel pattern or perhaps their account is compromised, I don't get any
> matches. I've used last and last -f /var/log/wtmp.1 with the user name
> and there are no matches.
OpenSSH logins fall under "/var/log/auth*" logs.
> Yet finger shows a login from Apr 24, which jives with their last
> .bash_history update
>
> One way this could happen is by use of sftp/scp. Is there a way to get
> last to record these sessions as well?
Mmm... any specific reason for wanting these logs available within
wtmp? :-?
Greetings,
--
Camaleón
Reply to: