Our firewall logs show strange entries and we had a strange
issue of a moved directory withour anybody knowing of it.
Are their log files on AIX where i can see who used the system
( logged on, move anything, ... )
Thanks
To see who last logged on to your AIX issue
last command or check /var/adm/messages for the logs.
you can also use the history command to what has been done.
history -1000 will show you the last 1000 list of event done on your AIX
Will history show history for all users or just one user?
I was thinking of grep'ing for mv commands in the .history for each user on the system.
Yeah check the message file and do a history on root or on the user that have the ownership of file or directory that was moved. Also check for the date of the login and the day that the file or directory was moved.
the history file is most likely the hardest to do. as its written to every time and there are a handfull of variables that can be used to override it/erase it/not use it.
who /var/adm/wtmp
This shows the successful logins, time, and ip of all users to your system. There is also a failed login file that can be accessed from:
who /etc/security/failedlogin