You are not logged in.
For a few months I've been using the following command to track the login and logoff times of several users:
cat /var/log/auth.log* |grep -E "user $USER" |grep -E "(kdm|lxdm|login:)" |awk '{print $1,$2,$3,$8,$11}' |awk '{if (length($2)==1) $2="0"$2}{print}' |sort -M
However, for the past couple of weeks, the login history is not being recorded into /var/log/auth.log* and the most recent of these files are empty.
My current dilemma is how to extract the login information for each user in order to calculate the number of hours they used the computer.
I'm currently looking into Audit framework and also into acct.
However, for the last couple of weeks, I can't see a way to rescue that information.
I'm in trouble, and I will appreciate a suggestion here
Last edited by xganesh (2014-09-22 17:10:55)
Offline
No idea about the substance of your question, but your command could be simplified considerably (UUOC and awk does pattern matching just fine, so the greps are redundant).
Also, please don't use colour in your text, the red in particular is very hard to read, so it just obscures your message...
Offline
Thanks for replying, and sorry for the flashy markup (I took care of it).
Now about my question, I guess it can be broken down into two parts:
1) Does systemd allow for getting login time information?
2) Since all my boxen running Arch show the /var/log/auth.log* files empty, my guess is that something changed as part of the most recent upgrades. Maybe the task of recording of login times passed to another part of the OS?
I'm asking these questions while reading about these topics, so, eventually, I will find out. Please don't assume I'm being a lazy user, asking to be spoonfed by the experts here. I just hope that, if someone points me in the right direction, I can find the useful information sooner.
Last edited by xganesh (2014-09-18 14:41:59)
Offline
Wasn't it logging to auth.log in pre-systemd times?
You could parse journalctl instead of auth,log.
Offline
Both before and during systemd times it had been loggint into auth.log, with lines like this:
Aug 28 10:48:38 workhost lxdm-session: pam_unix(lxdm:session): session opened for user primeuser by (uid=0)
I will explore journalctl.
Thanks for replying
Offline
Actually, it is easier using journalctl.
journalctl _UID=0 USER_ID=$USER _SYSTEMD_UNIT=systemd-logind.service --since=2014-09-01 --output=short-iso |awk '{$2=""; $3=""; print}'
Thanks a lot for pointing me in the right direction.
Offline