Is it possible to log when a user logs out of a session on Linux using Auditctl?
My current audit.rules
relating to users are:
-w /etc/login.defs -p xwa -k login
-w /etc/securetty -p xwa -k login
-w /var/log/faillog -p xwa -k login
-w /var/log/lastlog -p xwa -k login
-w /var/log/tallylog -p xwa -k login
-w /var/log/secure -p xwa -k login
I can't see anything obvious in /var/log
that I can watch, so I assume this is going to need some more configuration?
Best Answer
This very much depend on what OS/distribution you are using:
Fedora 20 and RHEL7 use
systemd
, so all login/logout actions can be viewed usingjournalctl
:In RHEL6 these actions are logged to
/var/log/auth.log
.For configuration specific to
auditd
, check out the excellent introduction to the audit system by Scott Pack, from the example configuration in that article: