stevedoria.net

Login attempts can be tracked in real time with the following command:

/bin/utmpdump -f /var/log/btmp

I received a Logwatch email reporting a “corruption detected in /var/log/btmp : XX time(s)” issue. By performing an Internet search for the reported issue, I found Gabriel Cánepa’s How to Monitor User Login History on CentOS with utmpdump. Cánepa describes utmpdump in depth and the fields in each utmpdump line entry.

The eight fields emitted by utmpdump are:

1. session identifier
2. PID
3. “~~” (runlevel change) | “bw” (bootwait process) | TTY | PTY
4. empty | username | reboot | runlevel
5. TTY | PTY
6. remote hostname | kernel version
7. remote IP address
8. timestamp

This entry was posted on Tuesday, October 29th, 2019 at 10:01 pm and is filed under Linux / Unix. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.