Logging or statting Auth Basic on Ubuntu 14.04

December 2, 2015 1.2k views
Logging Monitoring Linux Basics Nginx System Tools Git Ubuntu

If I for example want to know how many times a user has logged in, how can I go about this in a simple or awesome way ?

  • do you mean the HTTP "WWW-Authenticate: Basic" / "Authorization: Basic" ? If yes, in Nginx you can find the username inside the access_log for each request. I usually grep the username inside the log and count how many times it request the / page.

    For example, if i want to know how many times and when the admin user logged in:

    # cat logs/access.log | egrep '[0-9\.]+ \- admin .*GET \/ HTTP' - admin [02/Dec/2015:16:44:01 +0100] "GET / HTTP/1.1" [...] - admin [02/Dec/2015:16:44:46 +0100] "GET / HTTP/1.1" [...]

    then i use awk to print the timestamp only

    # cat logs/access.log | egrep '[0-9\.]+ \- admin .*GET \/ HTTP' | awk '{print $4 $5}'

    then i use sort and uniq to count it

    # cat logs/access.log | egrep '[0-9\.]+ \- admin .*GET \/ HTTP' | awk '{print $4 $5}' | sort | uniq -c
          1 [02/Dec/2015:16:44:01+0100]
          1 [02/Dec/2015:16:44:46+0100]

    hope this help :)

  • Exactly! My access log is in /var/logs/nginx/access.log though - embarrassing i overlooked the username in there. Thank you so much for getting me in the right direction! :)

1 Answer

For some very basic login information, you can use the last command. For instance:

root@web-02:~# last root
root     pts/0   Wed Dec  2 10:49   still logged in   
root     pts/0   Wed Dec  2 10:49 - 10:49  (00:00)

wtmp begins Tue Dec  1 17:22:59 2015

Notice the history only goes back so far as the logs get rotated. You can also look at older logs by specifying the file:

root@web-02:~# last -f /var/log/wtmp.1
root     pts/0   Wed Nov 18 11:21 - 11:23  (00:02)    
root     pts/0   Fri Nov 13 10:42 - 10:42  (00:00)    

wtmp.1 begins Fri Nov 13 10:42:21 2015

For even more information, you can inspect /var/log/auth.log It will also contain information like failed login attempts.

  • I have created a .htpasswd in /etc/nginx

    This file holds some usernames and passwords for Auth Basic - I've for instance created a user called sammy, and that user has been authenticated a couple of times, but he doesn't show up anywhere in what you've suggested :/

    • Sorry, I didn't realize you were asking about Nginx before. My answer is for system wide logins. @theMiddle is pointing you in the right direction though.

Have another answer? Share your knowledge.