Arpit9568

New Member
Joined
May 13, 2021
Messages
2
Reaction score
0
Credits
19
Hi Guys,

is there any way in Linux(RedHat), we can get the details of the stopped process like which user terminated the process/Reason of termination/ time, and date of termination, etc.

Please help me with this.

Thanks in advance!
 


Have a look in system log /var/log/syslog and /var/log/messages.


Using a hand full of commands are here in this link:


To see who is logged in open the terminal type w and hit Enter.

To check login history:

  1. /var/run/utmp: It contains information about the users who are currently logged onto the system. Who command is used to fetch the information from the file.
  2. /var/log/wtmp: It contains historical utmp. It keeps the users login and logout history. ...
  3. /var/log/btmp: It contains bad login attempts.
Hope that helps.
 
Hi Alexzee, Thanks for the reply!

I got the logs and the details of process but when i checked utmp files to check who certainly terminated it... data isnt the human readable in notepad++. also there is no wtmp and btmp files either. Could you please help me in this ?
 
Hi Alexzee, Thanks for the reply!

I got the logs and the details of process but when i checked utmp files to check who certainly terminated it... data isnt the human readable in notepad++. also there is no wtmp and btmp files either. Could you please help me in this ?

Are you the administrator?

To be able to read the utmp, wtmp and btmp files you have to run these commands in the terminal to view them.

last -f /var/log/wtmp
{ To open wtmp file and view its content use blow command}

last -f /var/run/utmp
{ To see still logged in users view utmp file use last command}

last -f /var/log/btmp
{ To view btmp file use same command}

Also you can run this command but you will have to run it as root to show you what is in /var/log/btm.
lastb

See this article in this link, it will help you.

Also you may want to look into encyrpted vaults.

This could be a security risk and @KGIII may be able to assist you with this much better than I.
 
If I understand correctly, finding out after the fact is difficult unless you've installed auditing software. Installing auditing software after the fact doesn't help, it needs to be installed ahead of time.

I've played with some auditing stuff, but never actually used it for anything. Well, not the kind of auditing we're talking about here. I have auditing software for my sites, but that's an entirely different bowl of wax.
 
Take a look at sar, journalctl, and if it happens frequently, something like strace.
 

Staff online


Top