Trolling the Logs

Not applicable

Greetings.

Feel free to scroll down to my (somewhat generic) question that comes after a bunch of specific pre-amble.

We (still) have an issue where students are unable to authenticate, which does not seem to be tied to which machine they are using or which user they are, and is alleviated when we reboot our open directory master. I learned at a meeting the other day that the problem is much more widespread than I'd imagined. [Incidentally, the promising instructions at http://discussions.apple.com/thread.jspa?messageID=8221483 did not repair our ODM, and we mean to replace it ASAP.]

I just found out about the "last" command, which shows how long users log in. An a computer where issues occurred, the output shows:

CJHS-eMacLab-15 (192.168.20.75)
Leav695 console Wed Feb 25 14:33 - 15:18 (00:44)
Leav848 console Wed Feb 25 08:46 - 09:30 (00:44)
Sugd358 console Tue Feb 24 09:05 - 09:23 (00:17)
reboot ~ Mon Feb 23 13:28
Nels177 console Mon Feb 23 12:56 - crash (00:32)
reboot ~ Mon Feb 23 12:54
Nels177 console Mon Feb 23 12:53 - crash (00:01)
Zaug139 console Fri Feb 13 10:57 - 12:52 (10+01:54)
Smit292 console Fri Feb 13 10:03 - 10:57 (00:53)
Russ532 console Fri Feb 13 09:37 - 09:58 (00:21)
Gibb964 console Fri Feb 13 08:51 - 09:07 (00:16)
Wynd235 console Thu Feb 12 14:35 - 14:54 (00:18)
Schm734 console Thu Feb 12 13:42 - 14:29 (00:47)

It is obvious that Nels177 could not log in; he is listed as logged in for 1 and 32 seconds, and he rebooted the computer twice.

It is worth noting that the computer usage logs in casper show:

Computer Usage Logs | Back to top

logout Leav695 Wednesday, February 25 2009 at 3:18 PM login Leav695 Wednesday, February 25 2009 at 2:33 PM logout Leav848 Wednesday, February 25 2009 at 9:31 AM login Leav848 Wednesday, February 25 2009 at 8:46 AM logout Sugd358 Tuesday, February 24 2009 at 9:23 AM login Sugd358 Tuesday, February 24 2009 at 9:05 AM startup Monday, February 23 2009 at 1:29 PM login Nels177 Monday, February 23 2009 at 12:56 PM startup Monday, February 23 2009 at 12:55 PM login Nels177 Monday, February 23 2009 at 12:53 PM logout Zaug139 Monday, February 23 2009 at 12:52 PM

Interesting. They show that he did log in and that the next action was that the computer restarted. Here I thought Casper missed the event entirely.

The Question:

I have created a policy to run the "last" command on all of our computers, and it will create a number of logs for each computer (each day). Does anyone have any advice on how to troll through the data?

I might be able to go to the policy log page and download every link from it (page after page), either manually (shudder) or with a script (maybe using twill).

Alternatively, I have granted myself access to the MySQL database that Casper is using. I have been able to get at snippets of the data in that way.

So, does anyone troll their logs for data in ways like this, and if so, do you have any advice to offer (before I spend a fair chunk of time seeing if I can get data into files and grep it or figure out how to do some non-beginner SQL searches on it)? Or is there another method altogether that I should look into?

Thank you,
Clinton Blackmore

1 REPLY 1

milesleacy
Valued Contributor

2009/2/27 Clinton Blackmore <clinton.blackmore at westwind.ab.ca>

I have created a policy to run the "last" command on all of our computers, and it will create a number of logs for each computer (each day). Does anyone have any advice on how to troll through the data?

My question to you is "What's your goal?" We can do a lot of stuff with
just about any data. In order to do something useful, we need to define
what it is that we want.