Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Use of audit

Status
Not open for further replies.
owen68

owen68

MIS
Feb 22, 2002
8
0
0
GB
Hello,
I'm new to Unix I'm running an MIS on Unix and want some advice on how to monitor failed logins, and who's accessing it and when.

I found the command who -a /etc/security/failedlogin but got loads of information.
How do I get the output into a file, and how can I restrict the command to look within range of dates or a single date.

I also want to understand audit. I looked at the man page but it makes no sense to me.

I think that's enough for now!
 
Sort by date Sort by votes
First of all, getting output into a file is straightforward; in your example:
who -a /etc/security/failedlogin > filea
will put everything into filea. If you use a pattern matching filter, like grep, then you can pipe the output into this and narrow down your search. For example:
who -a /etc/security/failedlogin | grep " Aug " > filea
will list out only entries for last August.

You can always do things a bit more interactively with the vi editor. Everyone who is new to unix instantly falls in love with this :)

You might want to have a little play with vi, pipes and filters before you progress into audit.

That's what I've been doing for the last 5 years.

Mark
 
Upvote 0 Downvote
who /etc/security/failedlogin > /tmp/failedloginfile

flag not needed... It is in order by date?
and Unknown users can be modem noise or someone trying to get in.

If you are just trying to find out who is trying to get into your system, I don't think you want accounting or auditing. Auditing is a pig disk wise..... If you are trying to track a particular users or writes and reads, deletion of files, changing of files, etc...maybe

Audit



Accounting:

 
Upvote 0 Downvote
Thanks for replying so quickly. It looks like I've got a lot of reading to do!
 
Upvote 0 Downvote
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

HariharanER
  • Locked
  • Question
Current versions are used in AIX
Replies
0
Views
87
HariharanER
HariharanER
Amandeep Gautam
  • Locked
  • Question
equivalent of /proc/mounts in AIX 1
Replies
5
Views
75
unixfreak
unixfreak
trifo
  • Locked
  • Question
reading huge AIX audit bin file
Replies
0
Views
57
trifo
trifo
AnjuSingh
  • Locked
  • Question
Hello, I have a generic user whi
Replies
3
Views
52
iggsterman
iggsterman
TSch
  • Locked
  • Question
lpar2rrd shows strange blocks instead of text 1
Replies
2
Views
50
TSch
TSch

Part and Inventory Search

Sponsor

Back
Top