Solved

Linux PPTP server log file of user login

Posted on 2014-01-17
16
2,410 Views
Last Modified: 2014-02-19
Hi All

             how do i log user who login to my pptp server ? my linux version is RHEL 6, and i install the pptp server from the following link, and when i go to /var/log/ppp , the folder ppp is empty, how i can see the log for vpn user, thx !

http://freehostinganswers.com/blog/how-to-install-your-own-vpn-server-in-5-mins-pptp-on-centos-redhat-and-ubuntu/

screen
0
Comment
Question by:piaakit
  • 7
  • 7
  • 2
16 Comments
 
LVL 39

Expert Comment

by:noci
Comment Utility
Hi what kind of log do you mean.
The fact that they logon should be recorded in the /var/log/auth file.

Some of the session info can be found in the /var/log/ppp directory (which contains the log files).

The data they transfer (the activity they do) you need to take down with a packet logging system like tcpdump / wireshark.
0
 

Author Comment

by:piaakit
Comment Utility
The log that can see when they have logged in and which account has been logged in, I want to see related logs with this, I checked /var/log/PPP inside is empty
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
if you want to see who used the system when, maybe entering
'enable-session' into the ppp config is a better option.
Then you can check the usage & current logins through the last utility.

Otherwise you will have to check your syslog settings. (may be different from deault).
that probably is configured to log into /var/log/auth the logins & /var/log/message for everything else, maybe the login also go to /var/log/messages

unless a private logfile has been assigned through the ppp config.
0
 

Author Comment

by:piaakit
Comment Utility
Hi Noci


                  under var/log/messages, i see the log when i connected to vpn, but it wont show which user has been connecting, and how do i enable-session into ppp config ? thx a lots for your help !

log
keith
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
The key line here is:
the prelast one: you already have a sesion-enable or login in the ppp config.
But SELINUX is preventing you from updating it in the session database.
"SELinux  is preventing /usr/sbin/pppd "write" on /var/log/wtmp...

wtmp is the session database, that last can read to see who logged on. Also in'm not sure if pppd handles this as an error or as a warning only.

and what about /var/log/auth*?
0
 

Author Comment

by:piaakit
Comment Utility
Hi Noci

/var/log/auth.  I can't find this auth in the
location, do I have to disable SElinux ?
0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
>>The log that can see when they have logged in and which account has been logged in.

Have you examine 'last'? Sample output -

kadmin pts/0        kztux.kze.local  Wed Feb 22 01:39 - 02:27  (00:48)    
kadmin tty1                          Tue Feb 21 16:42 - 16:42  (00:00)    
root     tty1                          Tue Feb 21 16:35 - 16:42  (00:06)    
reboot   system boot  2.6.32-220.el6.x Tue Feb 21 16:27 - 12:56  (20:29)    
kadmin tty1                          Mon Feb 20 15:23 - down   (00:00)    
root     tty1                          Mon Feb 20 14:49 - 15:23  (00:34)    
root     tty1                          Mon Feb 20 14:45 - 14:48  (00:03)    
reboot   system boot  2.6.32-220.el6.x Mon Feb 20 14:42 - 15:24  (00:42) 

Open in new window

0
 
LVL 39

Expert Comment

by:noci
Comment Utility
The last command won't show ppp logons in your case because pppd is forbidden to write into the file wtmp trhough SELinux.
Try to run SELinux in permissive or disable it (There are differences in that).
And see what last supplies then.
IMHO this is an error in the SELinux profile for pppd.

in the syslog config file (/etc/syslogd.conf) there is a line with auth.*
after that there is a filename, that is the exact filename to check.

If syslog-ng is sued the filename & rules are a little more complex.
grep -C 3 auth /etc/syslog*
might give the wanted info.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:piaakit
Comment Utility
Hi Noci


                In /etc/ i can not find syslogd.conf, and my pptp server is following below link to do, is below link step didnt show how to enable log for pptp service ?


http://freehostinganswers.com/blog/how-to-install-your-own-vpn-server-in-5-mins-pptp-on-centos-redhat-and-ubuntu/
0
 

Author Comment

by:piaakit
Comment Utility
Below is the log from /var/log/messages, it is saying that "SELinux is preventing /usr/sbin/pppd "write" access on wtmp. for the complete selinux messages: selinux  messages. run ......

my selinux already disabled

log
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
after setting disabled in the config file, did you reboot?  
selinux can only be disabled through a boot, after which it wont be activated.
0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
Try -

setenforce 0 

Open in new window


This will put selinux in permissive mode. If you decide to enable selinux you can simply flip it back without relabeling the entire file system.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Well if in selinux enforcing mode the ppp doesn't log what is needed, then it makes no sense to set it enforcing. And permissive mode isn't that usefull, except for maintaining the file labeling as you say. If selinux will only be used in permissive then is can be disabled aswell. then At least the overhead of checking is removed too.
0
 

Author Comment

by:piaakit
Comment Utility
Hi Noci


             after disabled selinux, and check /var/log/message, i still seeing the same log as before, can not display the vpn user name, see attached screenshot


pptp

Keith
0
 
LVL 39

Accepted Solution

by:
noci earned 500 total points
Comment Utility
now the last command will show you the logins that happened.
litterary type
last
and then enter.

man last
will show some explanation on the last command & options.
0
 

Author Comment

by:piaakit
Comment Utility
let me test it
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now