User Logoff
Linux Ubuntu
Enabled by default
Service: syslog
Log type: auth.log
A users log off can indicate the end of an attack or potential system restarts that may have occurred. This can conclude a timeline or give a bit more insight to a users activity.
grep "session closed" /var/log/auth.log
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Compliance
HIPAA
Level: Recommended
NSA Event Forwarding
Level: Recommended
https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events
Linux logs call a user logoff event session closed. There may be logs from a “user” called GDM; this is just the graphical login screen and will show up if a user switched accounts graphically. In order to view this event from the Logs application, select the Security tab and search for closed. Due to the restrictions of the GNOME Logs app, there will likely be several logs that contain “closed”, just look for the ones that say session closed for user.
To view this log through the command line, launch the terminal and enter the commandgrep "session closed" /var/log/auth.log.
Additional References
