On 30 January 2018 at 13:40, Jon Pruente <jpruente@xxxxxxxxxxxxxxxxx> wrote: > On Tue, Jan 30, 2018 at 12:26 PM, <m.roth@xxxxxxxxx> wrote: > > > This is.... odd. > > > > We're seeing a *lot* of > > sshd[8400]: Timeout, client not responding. > > So I'm trying to find out whose client is having issues. Trying to figure > > that, after processes are gone, I tried looking in lastlog, which is > where > > it gets odd. lastlog shows root coming in, and it shows a security > account > > coming in... years ago. > > > > I see one of our users logging in a goodly number of times... but lastlog > > doesn't show him. I just logged in as myself, no password, using keys... > > and lastlog doesn't show me, or my manager, or anyone else. > > > > Does anyone have any idea why lastlog's not recording *all* logins? > > > > You can look at /var/log/audit/audit.log to see more detail than what last > shows. A nice tip is to pipe the output through another tool to convert the > timestamps to human readable date and time. > > tail -f /var/log/audit/audit.log | ausearch -i > or > tail -f /var/log/audit/audit.log | perl -pe 's/(\d+)/localtime($1)/e' > > Also check that /var/log/wtmp is set up correctly [smooge@smoogen-laptop ~]$ ls -lZ /var/log/wtmp -rw-rw-r--. root utmp system_u:object_r:wtmp_t:s0 /var/log/wtmp [smooge@smoogen-laptop ~]$ ls -l /var/log/wtmp -rw-rw-r--. 1 root utmp 116352 2018-01-30 13:55 /var/log/wtmp Sometimes wtmp gets rotated at the beginning of the year so there is usually another file like /var/log/wtmp-20180117 or something. > via > https://serverfault.com/questions/327846/convert- > selinux-log-date-format-from-epoch-to-normal > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos