Re: User logins not appearing in wtmp?

To: debian-user@lists.debian.org
Subject: Re: User logins not appearing in wtmp?
From: Camaleón <noelamac@gmail.com>
Date: Wed, 6 Jun 2012 16:14:05 +0000 (UTC)
Message-id: <[🔎] jqnvkc$u68$16@dough.gmane.org>
References: <[🔎] CA+AKB6F4YCTv8wkDWRzoTK5pRR-cTxvEq5Uxu=6hO4-SpAzHaQ@mail.gmail.com>

On Wed, 06 Jun 2012 11:36:09 -0300, francis picabia wrote:

> Today I see from logwatch report 28 sshd logins from one user at an IP
> address in a different continent than usually seen here.
> 
> When I look up this user with last command to see if this is part of a
> travel pattern or perhaps their account is compromised, I don't get any
> matches. I've used last and last -f /var/log/wtmp.1 with the user name
> and there are no matches.

OpenSSH logins fall under "/var/log/auth*" logs.
 
> Yet finger shows a login from Apr 24, which jives with their last
> .bash_history update
> 
> One way this could happen is by use of sftp/scp.  Is there a way to get
> last to record these sessions as well?

Mmm... any specific reason for wanting these logs available within 
wtmp? :-?

Greetings,

-- 
Camaleón

Reply to:

Follow-Ups:
- Re: User logins not appearing in wtmp?
  - From: francis picabia <fpicabia@gmail.com>

References:
- User logins not appearing in wtmp?
  - From: francis picabia <fpicabia@gmail.com>

Prev by Date: Re: the ghost of UEFI and Micr0$0ft
Next by Date: Re: Default sound for alarm-clock 0.3.1 in Squeeze.
Previous by thread: User logins not appearing in wtmp?
Next by thread: Re: User logins not appearing in wtmp?
Index(es):
- Date
- Thread