Hi:-
I am working on an audit report that produces a monthly summary of account activity on a particular AIX host. I am struggling with su activity and failed logins as these tend to come back with more then a month's data.
Is there a easy way that these files can be rotated/cleaned out on a monthly bases or a way to query /var/adm/sulog or /etc/security/failedlogins so that they only report on the last 30 days?
There are a couple of ways to address this.
One is by truncating the wtmp/failedlogin files with fwtmp.
From the fwtmp man page:
1. To convert a binary record in wtmp format to an ASCII record called
dummy.file, enter:
/usr/sbin/acct/fwtmp < /var/adm/wtmp > dummy.file
The content of a binary wtmp file is redirected to a dummy ASCII file.
2. To convert an ASCII dummy.file to a binary file in wtmp format called
/var/adm/wtmp, enter the fwtmp command with the -ic switch:
/usr/sbin/acct/fwtmp -ic < dummy.file > /var/adm/wtmp
The dummy ASCII file is redirected to a binary wtmp file.
After step 1. you could remove X number of lines or manually edit it etc...
Or the easier way:
who failedlogin|grep $(date +"%b")
Which returns the current months records. Its not the proper way to get that information as the string for February may be found in the username or hostname etc... The proper way would be to use awk and compare $(date +"%b") with $3.
Or you could simply truncate the file on the first of every month with:
> /var/adm/wtmp
> /etc/security/failedlogin
Good luck.