Logons

Linux stores Logon information in several different files depending on the distro and software installed. Typically the following files contain logon information on Linux:

wtmp - Historical logons
btmp - Failed logons
utmp - Users currently logged on

In addition, Journal files may also contain logon information Currently artemis supports all three (3) files above when obtaining Logon information. When collecting Logon information artemis will only parse: wtmp, utmp, and btmp files.

If you want to check for logons in Journal files, you can try to apply a filter to the Journal artifact

Other Parsers:

References:

libyal
utmp

TOML Collection

system = "linux"

[output]
name = "logon_collection"
directory = "./tmp"
format = "json"
compress = false
endpoint_id = "abdc"
collection_id = 1
output = "local"

[[artifacts]]
artifact_name = "logon"
[artifacts.logons]
# Optional
# alt_file = ""

Collection Options

alt_file An alternative path to a wtmp, utmp, or btmp file. This configuration is optional

Output Structure

An array of Logon entries

export interface Logon {
  /**Logon type for logon entry */
  logon_type: string;
  /**Process ID */
  pid: number;
  /** Terminal info */
  terminal: string;
  /**Terminal ID for logon entry */
  terminal_id: number;
  /**Username for logon */
  username: string;
  /**Hostname for logon source */
  hostname: string;
  /**Termination status for logon entry */
  termination_status: number;
  /**Exit status logon entry */
  exit_status: number;
  /**Session for logon entry */
  session: number;
  /**Timestamp for logon */
  timestamp: string;
  /**Microseconds for logon */
  microseconds: number;
  /**Source IP for logon entry */
  ip: string;
  /**Status of logon entry: `Success` or `Failed` */
  status: string;
}