Page 1 of 1

[RESOLVED] - last command not showing all logons

Posted: 2020/12/03 01:30:32
by warron.french
We have an issue on some servers where a user logging on is authenticating and,
  • it can be confirmed with audit records, using ausearch or reviewing the /var/log/audit/audit.log files (even with using grep),
  • it can be confirmed reviewing the /var/log/messages file,
but it cannot be confirmed with the last command.

What would cause this? Do we need to take some corrective action to improve visibility into whatever is happening on our systems?

Re: last command not showing all logons

Posted: 2020/12/03 02:04:42
by chemal
last reads /var/log/wtmp and man wtmp says:

"There may be more users currently using the system, because not all programs use utmp logging."

I assume it's the same with wtmp logging.

Re: last command not showing all logons

Posted: 2020/12/04 00:16:22
by warron.french
Thanks @chemal.

Merry Christmas?

Re: [RESOLVED] - last command not showing all logons

Posted: 2020/12/08 16:09:14
by warron.french
Found the actual problem, and this post is inappropriately posted in the wrong forum - rather it shouldn't have been asked at all since CentOS Forums no longer support RHEL-variants of v6.x.

The issue was for our RHEL-6.x servers; however, we found that our AWS instance was also missing the appropriate changes.

First, ensure that /etc/ssh/sshd_config has the following syntax exactly:

Code: Select all

UsePAM    yes
Second, inside /etc/pam.d/sshd ensure this syntax is in place:

Code: Select all

session   required     pam_lastlog.so

That was it.