Arpit9568

New Member
Joined
May 13, 2021
Messages
2
Reaction score
0
Credits
19
Hi Guys,

is there any way in Linux(RedHat), we can get the details of the stopped process like which user terminated the process/Reason of termination/ time, and date of termination, etc.

Please help me with this.

Thanks in advance!
 


Alexzee

Well-Known Member
Joined
Jun 1, 2019
Messages
2,561
Reaction score
1,269
Credits
13,752
Have a look in system log /var/log/syslog and /var/log/messages.


Using a hand full of commands are here in this link:


To see who is logged in open the terminal type w and hit Enter.

To check login history:

  1. /var/run/utmp: It contains information about the users who are currently logged onto the system. Who command is used to fetch the information from the file.
  2. /var/log/wtmp: It contains historical utmp. It keeps the users login and logout history. ...
  3. /var/log/btmp: It contains bad login attempts.
Hope that helps.
 
OP
A

Arpit9568

New Member
Joined
May 13, 2021
Messages
2
Reaction score
0
Credits
19
Hi Alexzee, Thanks for the reply!

I got the logs and the details of process but when i checked utmp files to check who certainly terminated it... data isnt the human readable in notepad++. also there is no wtmp and btmp files either. Could you please help me in this ?
 

Alexzee

Well-Known Member
Joined
Jun 1, 2019
Messages
2,561
Reaction score
1,269
Credits
13,752
Hi Alexzee, Thanks for the reply!

I got the logs and the details of process but when i checked utmp files to check who certainly terminated it... data isnt the human readable in notepad++. also there is no wtmp and btmp files either. Could you please help me in this ?

Are you the administrator?

To be able to read the utmp, wtmp and btmp files you have to run these commands in the terminal to view them.

last -f /var/log/wtmp
{ To open wtmp file and view its content use blow command}

last -f /var/run/utmp
{ To see still logged in users view utmp file use last command}

last -f /var/log/btmp
{ To view btmp file use same command}

Also you can run this command but you will have to run it as root to show you what is in /var/log/btm.
lastb

See this article in this link, it will help you.

Also you may want to look into encyrpted vaults.

This could be a security risk and @KGIII may be able to assist you with this much better than I.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,154
Reaction score
6,993
Credits
66,214
If I understand correctly, finding out after the fact is difficult unless you've installed auditing software. Installing auditing software after the fact doesn't help, it needs to be installed ahead of time.

I've played with some auditing stuff, but never actually used it for anything. Well, not the kind of auditing we're talking about here. I have auditing software for my sites, but that's an entirely different bowl of wax.
 

dos2unix

Well-Known Member
Joined
May 3, 2019
Messages
1,654
Reaction score
1,270
Credits
10,769
Take a look at sar, journalctl, and if it happens frequently, something like strace.
 
$200 Digital Ocean Credit
Get a free VM to test out Linux!


Members online


Top