SMI User and Audit Tracking Commands

This section provides the list of user and audit tracking commands used in SMI.

Note
  • All these commands are executed on the node's terminal. Users with sudo access can execute these commands.

  • You need the wtmp and btmp files in the /var/log directory for the system to store log information.

User Tracking Commands

The following commands are used for user tracking in SMI.

User Tracking Commands

Command

Description

last -F

Displays the list of users logged in the last session along with information such as date and time of last log in.

Note
  • All the user information (log in and log out details) are stored in the /var/log/wtmp file. The command fetches all the user information stored in this file from the time the wtmp file was created.

  • The list of users in the current session are displayed as still logged in.

last reboot

Displays the number of times the system was rebooted.

lastb

Displays the list of bad log in attempts recorded in the /var/log/btmp file.

lastlog

Displays each user's last logged information - login name, port, and last login time - recorded in var/log/lastlog file.

Audit Tracking Commands

The following commands are used for audit tracking in SMI.

Audit Tracking Commands

Command

Description

sudo aureport -au -i | more

Displays a summary of audit daemon logs report.

sudo cat /var/log/auth.log | grep "Failed password"

Displays a list of failed SSH log in attempts.

sudo journalctl _SYSTEMD_UNIT=ssh.service | egrep "Failed|Failure"

Displays a list of all the failed log in attempts.

sudo journalctl -q _TRANSPORT=audit

Displays audit logs for SSH, SFTP and SCP.