Security
Highlighted

I want to Shows last login time for users who have ever logged into AIX.

New Member

I want to Shows last login time for users who have ever logged in AIX.
And enable the lastlog stanza:
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
index = os
disabled = 0

but I found it didn't work, and i see the lastlog.sh scripts:

if [ "x$KERNEL" = "xLinux" ] ; then
    CMD='lastlog'
    FILTER='/Never logged in/ {next} (NR==1) {next}'
    FORMAT='{username = $1; from = (NF==9) ? $3 : "<console>"; latest=$(NF-4) " " $(NF-3) " " $(NF-2) " " $NF}'
elif [ "x$KERNEL" = "xSunOS" ] ; then
    CMD='last -n 999'
    FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
    FORMAT='{username = $1; from = (NF==10) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}'

elif [ "x$KERNEL" = "xAIX" ] ; then
failUnsupportedScript

 elif [ "x$KERNEL" = "xDarwin" ] ; then
        CMD='last -99'
        FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
        FORMAT='{username = $1; from = ($0 !~ /                /) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}'
    elif [ "x$KERNEL" = "xHP-UX" ] ; then
        CMD='lastb -Rx'
        FORMAT='{username = $1; from = ($2=="console") ? $2 : $3; latest = $(NF-3) " " $(NF-2)" " $(NF-1)}' 
        FILTER='{if ($1 == "BTMPS_FILE") next; if (NF==0) next; if (NF<=6) next;}'
    elif [ "x$KERNEL" = "xFreeBSD" ] ; then
        CMD='lastlogin'
        FORMAT='{username = $1; from = (NF==8) ? $3 : "<console>"; latest=$(NF-4) " " $(NF-3) " " $(NF-2) " " $(NF-1) " " $NF}'
    fi

It say does not support AIX !
does any one can help me to add backup the script for AIX? AIX also has "last" command for last login time for users who have ever logged in.

thanks a lot.

0 Karma
Highlighted

Re: I want to Shows last login time for users who have ever logged into AIX.

Legend

Hi gif_support,
to have successful logins in AIX (if enabled) you could also take audit logs from “ /var/log/secure ” and search string " Accepted password for " OR " session opened for ".
Bye.
Giuseppe

0 Karma
Highlighted

Re: I want to Shows last login time for users who have ever logged into AIX.

New Member

does any reference about monitor the logs file such as /var/log/secure ?
and how to achieve?

0 Karma
Highlighted

Re: I want to Shows last login time for users who have ever logged into AIX.

Legend

Hi gif_support,
I'm not an AIX specialist but for my knowledge in "/var/log/secure" (as other linux based systems) there are audit logs.
When I worked for AIX logins, I remember that login auditing must be enabled by system administrator, but when enabled, in "/var/log/secure" you can find all that you need.

Bye.
Giuseppe

0 Karma