Auth.log / usernames: Difference between revisions

From Andreida
(Created page with "=== invalid users === grep -o 'invalid user.*' /var/log/auth.log | cut -d ' ' -f3 | sort | uniq -c | sort -n")
 
No edit summary
 
Line 1: Line 1:
=== invalid users ===
=== invalid users ===
grep -o 'invalid user.*' /var/log/auth.log | cut -d ' ' -f3 | sort | uniq -c | sort -n
grep -o 'invalid user.*' /var/log/auth.log | cut -d ' ' -f3 | sort | uniq -c | sort -n

=== successful logins ===
grep -o 'New session .*' /var/log/auth.log | cut -d ' ' -f6 | cut -d '.' -f1 | sort | uniq -c | sort -n
These are only direct and ssh logins. Not - for example - logins to Dovecat/Exim4.

If you want to know more about a certain user's logins, a start would be - example user 'root' -
grep 'New session [0-9]* of user root' /var/log/auth.log

Latest revision as of 17:22, 6 June 2023

invalid users

grep -o 'invalid user.*' /var/log/auth.log | cut -d ' ' -f3 | sort | uniq -c | sort -n

successful logins

grep -o 'New session .*' /var/log/auth.log | cut -d ' ' -f6 | cut -d '.' -f1 | sort | uniq -c | sort -n

These are only direct and ssh logins. Not - for example - logins to Dovecat/Exim4.

If you want to know more about a certain user's logins, a start would be - example user 'root' - 

grep 'New session [0-9]* of user root' /var/log/auth.log
Retrieved from "http://wiki.andreas-duffner.de/index.php?title=Auth.log_/_usernames&oldid=790"