Security

I want to Shows last login time for users who have ever logged into AIX.

gif_support
New Member

I want to Shows last login time for users who have ever logged in AIX.
And enable the lastlog stanza:
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
index = os
disabled = 0

but I found it didn't work, and i see the lastlog.sh scripts:

if [ "x$KERNEL" = "xLinux" ] ; then
    CMD='lastlog'
    FILTER='/Never logged in/ {next} (NR==1) {next}'
    FORMAT='{username = $1; from = (NF==9) ? $3 : "<console>"; latest=$(NF-4) " " $(NF-3) " " $(NF-2) " " $NF}'
elif [ "x$KERNEL" = "xSunOS" ] ; then
    CMD='last -n 999'
    FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
    FORMAT='{username = $1; from = (NF==10) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}'

elif [ "x$KERNEL" = "xAIX" ] ; then
failUnsupportedScript

 elif [ "x$KERNEL" = "xDarwin" ] ; then
        CMD='last -99'
        FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
        FORMAT='{username = $1; from = ($0 !~ /                /) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}'
    elif [ "x$KERNEL" = "xHP-UX" ] ; then
        CMD='lastb -Rx'
        FORMAT='{username = $1; from = ($2=="console") ? $2 : $3; latest = $(NF-3) " " $(NF-2)" " $(NF-1)}' 
        FILTER='{if ($1 == "BTMPS_FILE") next; if (NF==0) next; if (NF<=6) next;}'
    elif [ "x$KERNEL" = "xFreeBSD" ] ; then
        CMD='lastlogin'
        FORMAT='{username = $1; from = (NF==8) ? $3 : "<console>"; latest=$(NF-4) " " $(NF-3) " " $(NF-2) " " $(NF-1) " " $NF}'
    fi

It say does not support AIX !
does any one can help me to add backup the script for AIX? AIX also has "last" command for last login time for users who have ever logged in.

thanks a lot.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi gif_support,
to have successful logins in AIX (if enabled) you could also take audit logs from “ /var/log/secure ” and search string " Accepted password for " OR " session opened for ".
Bye.
Giuseppe

0 Karma

gif_support
New Member

does any reference about monitor the logs file such as /var/log/secure ?
and how to achieve?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi gif_support,
I'm not an AIX specialist but for my knowledge in "/var/log/secure" (as other linux based systems) there are audit logs.
When I worked for AIX logins, I remember that login auditing must be enabled by system administrator, but when enabled, in "/var/log/secure" you can find all that you need.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...