Hi
Does anybody know if there is a way in AIX 5.3 to track how a user was logged off? For instance where the user typed exit, hit crtl D, shell process was killed, etc.
I know of the last log entries but this just shows a users login time and duration. I also tried syslog but I only get login details and not logout detail
thanx
Not that I know of. Did some user complain about being logged off? 
Hey, thanx for the quick response
You know users, always complaining. The users say they get "kicked-off" the system by the application. But some how I don't believe them?! I asked the client if the users get "timed-out" or actually kicked-off the system and they say kicked-off.
So the user's are pointing at the application guys, the application guys are pointing at the OS guys and nobody can show otherwise ?
Any ideas ?
For example you could have nmap running on some Linux box and check if the applications ports are reachable every second and test it's exit code with $? and just write a log for it. Maybe put that Linux PC in the same net like one of the clients having that problem, just to make the network environment the same.
Also you could check if your box has any performance (have a vmstat 1 running and when they call that it happened, check it) problems or shows network errors or something like that. Do the people get disconnected while other people or applications can still communicate with the app?
Maybe you can check the switches/routers that are in between the clients to your server for errors too.
Also the app guys should show their log for the time when this/these disconnect(s) happen. Maybe their app is reporting something.
Maybe it's also the same users every time or some kind of pattern noticeable like that only users from some subnet have this problems or with some sort of workstation?
What kind of application is running there?
Edit: You could also have tcpdump running and search it with ethereal/wireshark.
You could enforce shell exit taking place only via a command ("set -o ignoreeof"). Now it is not possible any more to log off via "^D" but you have to use the "exit" command.
Create now an alias overriding "exit" with a small function which logs the logoff. Log the logon process too.
If you have a session with a logon but no corresponding logoff it has to be terminated by some outside event: coredump of the shell, termination of session, whatever.
One observation about your problem explanation: the users and the application developers may be both correct. If the application times out the users and the users have a login script starting the application session automatically, followed by an exit it might not be possible for them to tell the difference between a kick-off and a timeout. Consider the following "~/.profile":
PATH=/some/path ; export PATH
/some/where/application
exit
The user would log on, the application would come up automatically and when the app times out the user gets logged off. It appears to him as if the machine has kicked him off (which essentially is true, just in a diferent way he'd expect).
I hope this helps.
bakunin
wow guys
Excellent feedback I really appreciate the help. I will speak with the app guys and users to find out more and then definatly look into "set -o ignoreeof", that sounds exactly like what we'r lookinf for.
Thanx again for all the help