Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Linux PPTP server log file of user login

Posted on 2014-01-17
16
Medium Priority
?
4,426 Views
Last Modified: 2014-02-19
Hi All

             how do i log user who login to my pptp server ? my linux version is RHEL 6, and i install the pptp server from the following link, and when i go to /var/log/ppp , the folder ppp is empty, how i can see the log for vpn user, thx !

http://freehostinganswers.com/blog/how-to-install-your-own-vpn-server-in-5-mins-pptp-on-centos-redhat-and-ubuntu/

screen
0
Comment
Question by:piaakit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
  • 2
16 Comments
 
LVL 40

Expert Comment

by:noci
ID: 39791410
Hi what kind of log do you mean.
The fact that they logon should be recorded in the /var/log/auth file.

Some of the session info can be found in the /var/log/ppp directory (which contains the log files).

The data they transfer (the activity they do) you need to take down with a packet logging system like tcpdump / wireshark.
0
 

Author Comment

by:piaakit
ID: 39791654
The log that can see when they have logged in and which account has been logged in, I want to see related logs with this, I checked /var/log/PPP inside is empty
0
 
LVL 40

Expert Comment

by:noci
ID: 39792164
if you want to see who used the system when, maybe entering
'enable-session' into the ppp config is a better option.
Then you can check the usage & current logins through the last utility.

Otherwise you will have to check your syslog settings. (may be different from deault).
that probably is configured to log into /var/log/auth the logins & /var/log/message for everything else, maybe the login also go to /var/log/messages

unless a private logfile has been assigned through the ppp config.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:piaakit
ID: 39792260
Hi Noci


                  under var/log/messages, i see the log when i connected to vpn, but it wont show which user has been connecting, and how do i enable-session into ppp config ? thx a lots for your help !

log
keith
0
 
LVL 40

Expert Comment

by:noci
ID: 39793827
The key line here is:
the prelast one: you already have a sesion-enable or login in the ppp config.
But SELINUX is preventing you from updating it in the session database.
"SELinux  is preventing /usr/sbin/pppd "write" on /var/log/wtmp...

wtmp is the session database, that last can read to see who logged on. Also in'm not sure if pppd handles this as an error or as a warning only.

and what about /var/log/auth*?
0
 

Author Comment

by:piaakit
ID: 39794427
Hi Noci

/var/log/auth.  I can't find this auth in the
location, do I have to disable SElinux ?
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39794429
>>The log that can see when they have logged in and which account has been logged in.

Have you examine 'last'? Sample output -

kadmin pts/0        kztux.kze.local  Wed Feb 22 01:39 - 02:27  (00:48)    
kadmin tty1                          Tue Feb 21 16:42 - 16:42  (00:00)    
root     tty1                          Tue Feb 21 16:35 - 16:42  (00:06)    
reboot   system boot  2.6.32-220.el6.x Tue Feb 21 16:27 - 12:56  (20:29)    
kadmin tty1                          Mon Feb 20 15:23 - down   (00:00)    
root     tty1                          Mon Feb 20 14:49 - 15:23  (00:34)    
root     tty1                          Mon Feb 20 14:45 - 14:48  (00:03)    
reboot   system boot  2.6.32-220.el6.x Mon Feb 20 14:42 - 15:24  (00:42) 

Open in new window

0
 
LVL 40

Expert Comment

by:noci
ID: 39794485
The last command won't show ppp logons in your case because pppd is forbidden to write into the file wtmp trhough SELinux.
Try to run SELinux in permissive or disable it (There are differences in that).
And see what last supplies then.
IMHO this is an error in the SELinux profile for pppd.

in the syslog config file (/etc/syslogd.conf) there is a line with auth.*
after that there is a filename, that is the exact filename to check.

If syslog-ng is sued the filename & rules are a little more complex.
grep -C 3 auth /etc/syslog*
might give the wanted info.
0
 

Author Comment

by:piaakit
ID: 39805784
Hi Noci


                In /etc/ i can not find syslogd.conf, and my pptp server is following below link to do, is below link step didnt show how to enable log for pptp service ?


http://freehostinganswers.com/blog/how-to-install-your-own-vpn-server-in-5-mins-pptp-on-centos-redhat-and-ubuntu/
0
 

Author Comment

by:piaakit
ID: 39805918
Below is the log from /var/log/messages, it is saying that "SELinux is preventing /usr/sbin/pppd "write" access on wtmp. for the complete selinux messages: selinux  messages. run ......

my selinux already disabled

log
0
 
LVL 40

Expert Comment

by:noci
ID: 39807200
after setting disabled in the config file, did you reboot?  
selinux can only be disabled through a boot, after which it wont be activated.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39808155
Try -

setenforce 0 

Open in new window


This will put selinux in permissive mode. If you decide to enable selinux you can simply flip it back without relabeling the entire file system.
0
 
LVL 40

Expert Comment

by:noci
ID: 39813908
Well if in selinux enforcing mode the ppp doesn't log what is needed, then it makes no sense to set it enforcing. And permissive mode isn't that usefull, except for maintaining the file labeling as you say. If selinux will only be used in permissive then is can be disabled aswell. then At least the overhead of checking is removed too.
0
 

Author Comment

by:piaakit
ID: 39825972
Hi Noci


             after disabled selinux, and check /var/log/message, i still seeing the same log as before, can not display the vpn user name, see attached screenshot


pptp

Keith
0
 
LVL 40

Accepted Solution

by:
noci earned 2000 total points
ID: 39828227
now the last command will show you the logins that happened.
litterary type
last
and then enter.

man last
will show some explanation on the last command & options.
0
 

Author Comment

by:piaakit
ID: 39866484
let me test it
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question