Answer the question
In order to leave comments, you need to log in
How to force last command to show authorizations on portforward?
There are users who use ssh for portforward.
For example, through remmina rdp.
Authorization can be seen in the logs:
/var/log/secure
And at the moment it can be seen in the list of processes:
ps ax
How to make them visible at the moment in the w, who commands?
And how to use the last command to view the history of such connections?
Answer the question
In order to leave comments, you need to log in
/var/log/secure is written by the /sbin/syslogd daemon. And he writes there not inputs, namely authorizations, incl. sudo, sudo su, su, etc.
The syslogd settings can be viewed in /etc/syslog.conf, specifically the line "authpriv.*" means "log all messages received from the kernel that begin with authpriv."
The output of the last command is the result of reading the binary log /var/log/wtmp (man wtmp), into which successful entries are written (I do not recommend opening the log with cat, tail, etc.). The logs (wtmp, utmp, btmp) in turn write to /bin/login and its logout function.
Those. in answer to your question:
1. You can't force /bin/login to log authorization, because he writes inputs;
2. You cannot force /bin/login to log a login if there is no login;
3. You cannot force last to show something that is not written to the logs.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question