Question

Logging or statting Auth Basic on Ubuntu 14.04

If I for example want to know how many times a user has logged in, how can I go about this in a simple or awesome way ?

Subscribe
Share

do you mean the HTTP “WWW-Authenticate: Basic” / “Authorization: Basic” ? If yes, in Nginx you can find the username inside the access_log for each request. I usually grep the username inside the log and count how many times it request the / page.

For example, if i want to know how many times and when the admin user logged in:

# cat logs/access.log | egrep '[0-9\.]+ \- admin .*GET \/ HTTP'
1.2.3.4 - admin [02/Dec/2015:16:44:01 +0100] "GET / HTTP/1.1" [...]
1.2.3.4 - admin [02/Dec/2015:16:44:46 +0100] "GET / HTTP/1.1" [...]

then i use awk to print the timestamp only

# cat logs/access.log | egrep '[0-9\.]+ \- admin .*GET \/ HTTP' | awk '{print $4 $5}'
[02/Dec/2015:16:44:01+0100]
[02/Dec/2015:16:44:46+0100]

then i use sort and uniq to count it

# cat logs/access.log | egrep '[0-9\.]+ \- admin .*GET \/ HTTP' | awk '{print $4 $5}' | sort | uniq -c
      1 [02/Dec/2015:16:44:01+0100]
      1 [02/Dec/2015:16:44:46+0100]

hope this help :)

Exactly! My access log is in /var/logs/nginx/access.log though - embarrassing i overlooked the username in there. Thank you so much for getting me in the right direction! :)


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

For some very basic login information, you can use the last command. For instance:

root@web-02:~# last root
root     pts/0        109.60.147.140   Wed Dec  2 10:49   still logged in   
root     pts/0        109.60.147.140   Wed Dec  2 10:49 - 10:49  (00:00)

wtmp begins Tue Dec  1 17:22:59 2015

Notice the history only goes back so far as the logs get rotated. You can also look at older logs by specifying the file:

root@web-02:~# last -f /var/log/wtmp.1
root     pts/0        109.60.147.140   Wed Nov 18 11:21 - 11:23  (00:02)    
root     pts/0        109.60.147.140   Fri Nov 13 10:42 - 10:42  (00:00)    

wtmp.1 begins Fri Nov 13 10:42:21 2015

For even more information, you can inspect /var/log/auth.log It will also contain information like failed login attempts.