How to force last command to show authorizations on portforward?

P

pcdesign2014-12-09 13:42:21

linux

pcdesign, 2014-12-09 13:42:21

There are users who use ssh for portforward.
For example, through remmina rdp.
Authorization can be seen in the logs:
/var/log/secure
And at the moment it can be seen in the list of processes:
ps ax
How to make them visible at the moment in the w, who commands?
And how to use the last command to view the history of such connections?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Andrew, 2014-12-09
@pcdesign

/var/log/secure is written by the /sbin/syslogd daemon. And he writes there not inputs, namely authorizations, incl. sudo, sudo su, su, etc.
The syslogd settings can be viewed in /etc/syslog.conf, specifically the line "authpriv.*" means "log all messages received from the kernel that begin with authpriv."
The output of the last command is the result of reading the binary log /var/log/wtmp (man wtmp), into which successful entries are written (I do not recommend opening the log with cat, tail, etc.). The logs (wtmp, utmp, btmp) in turn write to /bin/login and its logout function.
Those. in answer to your question:
1. You can't force /bin/login to log authorization, because he writes inputs;
2. You cannot force /bin/login to log a login if there is no login;
3. You cannot force last to show something that is not written to the logs.