Viewing in the Logs when a user has been Locked

Latest response

Hi,

we are currently using a SIEM to monitor the user activities that are being done by our SAP third party companies due to security concerns which means we wish to send in the rsyslog any command they performing and obviously any authentication success or failures.

So far, we are receiving the required data however we would like to go a step further by viewing logs when a locked user is being used or even if a user has been locked or unlocked. Is this information available in the audit files if we modify the logging level?

Any help would be greatly appreciated.
Regards,
Alexandre Laquerre

Responses

Most things like this appear in /var/log/secure.

Yesterday I happened to lock a user on both RHEL6 and RHEL7 and confirmed today that lock shows up in /var/log/secure on both servers.

Note on RHEL7 systemd is used so you'd also see it in the journal with journalctl. You probably want to get used to using that because at some point (RHEL8 maybe?) they won't populate the /var/log files any longer as that isn't really a systemd thing.

Hi Jeffrey,

Thank you I will check it out, however in the interest of time if we did not see this in the secure log (we are using a REHL7) can i then assume that perhaps we need to modify the logging level ?

Regards, Alexandre

Well after checking, you were right the commands for the unlock and lock are indeed mentioned so thank you for your answer =)

Regards, Alexandre