So I just completed my third week at the new job. I’ve got access to a few servers and such. 

But here’s the thing. I was poking through /var/log/auth.log – it’s where every login/logout gets recorded. I first brought it up in vi and paged through and noted a lot of root activity. Some of it sudo, some of it direct root. Then I got out of vi and piped the file through grep looking for just my user id. A few of those. Ok. 

Then I did grep -v ‘username’ /var/log/auth.log|awk ‘{print $11}’

I’ll walk you through what the hell that is all doing. 

The first part that says grep -v ‘username’ – that sets up the exclusion. 

The /var/log/auth.log is the path to the file. 

Then there’s the | or pipe character. One of the cooler things about Unix/Linux is you can pipe output from one utility directly into another. So in this case I shot it to awk and used the print function to extract the 11th field of text after whitespace. That’s the user ID. 

And I noted it all came back root. So then I piped it to wc -l which wc stands for word count. Yep – all root logins, several hundred of them in fact. 

So other than root I’m the only person logging into these servers. Interesting.