# FreeBSD - Getting user access history



## DolphinPC (Dec 27, 2020)

Hi,

I am trying to solve the problem of obtaining user access history to a NAS box. 
Apparently the stock logs in /var/log are useless to obtaining that goal. 

Here is a more detailed thread:





						FreeNAS - Log user access history
					

Hi,  I am interested in logging when a user accessed the server. Whether that user went through the web api, went through SSH, went and accessed an SMB share. Whatever the mode is, I would like to see a history of who accessed the server and when they terminated that session. The end result...



					www.truenas.com
				




How do i achieve this?
Thanks


----------



## SirDice (Dec 27, 2020)

PC-BSD, FreeNAS, XigmaNAS, and all other FreeBSD Derivatives



DolphinPC said:


> I am trying to solve the problem of obtaining user access history to a NAS box.
> Apparently the stock logs in /var/log are useless to obtaining that goal.


Secure shell access is logged in /var/log/auth.log. If you're looking for access logs from the FreeNAS web interface you're going to have to ask on the FreeNAS forums, it's part of the customized installation they have. Nothing in a standard FreeBSD install is going to be helpful here.


----------



## DolphinPC (Dec 27, 2020)

Hi, thanks for your reply.

Understood about the web interface, but ultimately when logging in, the root user on FreeBSD is being accessed? So, this should be logged somewhere correct?

auth.log does not show this:


```
Dec 26 18:01:10 server1 sshd[95659]: Connection closed by 10.0.0.43 port 60903 [preauth]                                          
Dec 26 18:01:18 server1 sshd[95666]: Protocol major versions differ for 10.0.0.43 port 61003: SSH-2.0-OpenSSH_7.5-hpn14v5 vs. SSH-1.
5-NmapNSE_1.0                                                                                                                      
Dec 26 20:29:56 server1 sshd[9741]: Invalid user MyUser from 10.0.0.43 port 64862                                                  
Dec 26 20:29:56 server1 sshd[9741]: Connection closed by invalid user MyUser 10.0.0.43 port 64862 [preauth]                        
Dec 26 20:33:42 server1 sshd[10213]: Invalid user admin from 10.0.0.43 port 64925                                                  
Dec 26 20:33:42 server1 sshd[10213]: Connection closed by invalid user admin 10.0.0.43 port 64925 [preauth]                        
Dec 26 20:34:12 server1 sshd[10292]: Connection closed by authenticating user root 10.0.0.43 port 64928 [preauth]                  
Dec 26 20:35:08 server1 sshd[10370]: Invalid user admin from 10.0.0.43 port 64930                                                  
Dec 26 20:35:08 server1 sshd[10370]: Connection closed by invalid user admin 10.0.0.43 port 64930 [preauth]                        
Dec 26 20:37:08 server1 sshd[2346]: Received signal 15; terminating.
```


According to FreeBSD docs, I can get some of this info from...

/var/log/utx.log

/var/log/utx.lastlogin

/var/log/userlog


But none of those provide this info and most are blank.


----------



## ralphbsz (Dec 27, 2020)

DolphinPC said:


> Understood about the web interface, but ultimately when logging in, the root user on FreeBSD is being accessed? So, this should be logged somewhere correct?



"When logging in" ... if someone uses the web interface, they don't log in. Logging in is done via the login program (/usr/bin/login), and it creates records such as userlog and auth.log. Accessing a web page (even if the web page asks for username and password) is not a login. Whether it is logged by the web server is an interesting question, and depends on how the web interface is configured.

It is perfectly possible to configure a web server such that it can perform functions that are usually reserved for root, such as heavyweight system configuration and administration. For example, one can just run the whole web server as root (but that would be insanely unsafe, unless one has a really good web server). One can have the web server run scripts (CGI is the simplest solution), which then use mechanisms such as sudo or doas to execute administration commands as root. I'm sure there is a zillion other ways to do it. None of those are automatically logged, unless the person who implemented these mechanisms added logging.

So I repeat Sir Dice's answer: This is not a FreeBSD question, but a question for the people who are knowledgable about the web interface.

But let me dig a little deeper: Why are you even asking this question? This really seems to do an XY question, where you are asking "how to I do this", when in reality you are trying to solve a bigger problem, and if you told us what the bigger problem is, we might be able to give more helpful answes.


----------



## DolphinPC (Dec 27, 2020)

Hi,

Thanks for your reply. I see your point about the difference between _logging in_ and accessing the web interface. With that said, it appears that the events I am hoping to capture on FreeNAS are much different than the events that FreeBSD captures with "Log-ins".

I will await FreeNAS experts.
Thanks for your time


----------

