0

I have a server (Amazon Linux) that has been up for 261 days:

[server]$ uptime
 16:29:46 up 261 days,  4:47,  1 user,  load average: 0.05, 0.16, 0.18

I am trying to find out if there have been any unsuccessful login attempts over recent months:

[server]$ lastb

btmp begins Thu Jan  1 04:16:08 2015

There is nothing there, and the server is telling me the /var/log/btmp file starts 14 days ago.

There is one other archived btmp log files in /var/log/

-rw------- 1 root utmp 75 Jan  1 04:16 /var/log/btmp-20150101.gz

When I unpack this and read it with lastb, I get this:

[server]$ lastb -f btmp-20150101 

btmp-20150101 begins Wed Jan 14 16:21:06 2015

Can anyone tell me what is going on here? My aim is to prove that there have been no invalid login attempts in the 261 days the server has been up, but lastb doesn't appear to be able to confirm this.

Garreth McDaid
  • 3,399
  • 26
  • 41

1 Answers1

1

My guess is that your logrotate has deleted the files. You can check your logrotate config at:

/etc/logrotate.conf

or

/etc/logrotate.d/btmp

Maybe you have the auth.log file to get the data from?

Matías
  • 447
  • 1
  • 6
  • 16
  • That was it. I had looked in /etc/logrotate.d/ for a btmp config, but didn't think to look in the logrotate.conf file itself. It was rotating monthly and keeping 1 rotation from the previous month. – Garreth McDaid Jan 14 '15 at 16:46