Get last SAS logins of users and clients
In this message, I'd like to introduce a way to get last SAS logins of users and clients from the log file of SAS Metadata Server, the output looks like UNIX command "last" or "lastb". Generally, there are many ways and tools to get the login history, for example some third party's tools which can provide extended and customized information. But some of these tools are not free. So, today we'll talk about a "home-made" solution to get the SAS logins of the users and clients.
Before that, let's talk about some background knowledge. If you've already known it, you can jump to the next paragraph. For SAS metadata server, each of the login attempts will be recorded to SAS Metadata Server log file, which is located at <SAS CONFIG DIR>/Lev1/SASMeta/MetadataServer/Logs. The login attempts can be initiated from SAS Clients(for example SAS Enterprise Guide) or SAS batch jobs, which try to connect to SAS Metadata Sever. In each attempt, by default, the following information will be displayed:
| Description | Log entry |
| Successful login | 2016-04-15T10:09:46,586 INFO [00183402] :testuser1 - New client connection (13015) accepted from server port 8591 for user sasuser1. Encryption level is Credentials using encryption algorithm SASProprietary. Peer IP address and port are [::ffff:192.168.6.26]:49254 for APPNAME=SAS Enterprise Guide. |
| Unsuccessful login | 2016-05-20T12:05:52,248 WARN [00009359] :sas - New client connection (179) rejected from server port 8561 for user testuser2. Peer IP address and port are [::ffff:192.168.46.70]:52769 for APPNAME=SAS Enterprise Guide. |
And, the log file naming policy is defined as "SASMeta_MetadataServer_%d_%S{hostname}_%S{pid}.log", for example:
Within the log file, the log entries are defined in configuration file <SAS CONFIG DIR>/Lev1/SASMeta/MetadataServer/logconfig.xml as follow:
<param name="ConversionPattern" value="%d %-5p [%t] %X{Client.ID}:%u - %m"/>
And the description of relevant parameters are listed as follows:
| Parameters | Description |
| %d | Reports the date of the log event. For the ConversionPattern parameter, the ISO8601 format, which is represented as yyyy-MM-dd HH:mm:ss,SSS For the FileNamePattern parameter, yyyy-MM-dd. |
| %-5p | Reports the level of the log event. Here are the supported levels: • TRACE • DEBUG • INFO • WARN • ERROR • FATAL |
| %t | Reports the identifier of the thread that generated the log event. |
| %X{Client.ID} | Reports the connection ID that is associated with the connecting client. |
| %u | Reports the client identity that is associated with the current thread or task. |
| %m |
Writes the messages that are associated with the log event. |
After you understand the background knowledge, the extraction is mainly regarding character processing. You can easily get the information from the log file as you need. According to the log files, we can start extracting the last logins. Because our environment is UNIX, we use Shell script to deal with the log file, the following piece of code is used to read and parse the log file:
function read_and_parse
{
IFS=';';
PrevDateTime=""; PrevSesID=""; PrevFlag=""; PrevIPaddress=""; PrevUser="";
sort -t";" -k5n,5 -k2,2 -k1,1 <&6 | while read -r Flag DateTime User TransID SesID IPaddress
do
case $Flag in
A)
# NO Closure identified for previous line
if [[ "$PrevFlag" != "" ]]; then
Duration=`$PERLFILE "$PrevDateTime" ""`;
LINE=$PrevUser";"$PrevIPaddress";"$Duration";";
printf "$LINE\n" >> $SUCCFILE;
fi;
PrevDateTime=$DateTime; PrevSesID=$SesID; PrevFlag=$Flag; PrevIPaddress=$IPaddress; PrevUser=$User;
;;
R)
# NO Closure identified for previous line
if [[ "$PrevFlag" != "" ]]; then
Duration=`$PERLFILE "$PrevDateTime" ""`;
LINE=$PrevUser";"$PrevIPaddress";"$Duration";";
printf "$LINE\n" >> $UNSUCCFILE;
fi;
PrevDateTime=$DateTime; PrevSesID=$SesID; PrevFlag=$Flag; PrevIPaddress=$IPaddress; PrevUser=$User;
;;
S)
# Closure for Accepted line
if [[ "$PrevSesID" = "$SesID" && "$PrevFlag" = "A" ]]; then
LINE=$PrevUser";"$PrevIPaddress;
Duration=`$PERLFILE "$PrevDateTime" "$DateTime"`;
LINE=$LINE";"$Duration";";
printf "$LINE\n" >> $SUCCFILE;
fi;
# Closure for Rejected Line
if [[ "$PrevSesID" = "$SesID" && "$PrevFlag" = "R" ]]; then
LINE=$PrevUser";"$PrevIPaddress;
Duration=`$PERLFILE "$PrevDateTime" ""`;
LINE=$LINE";"$Duration";";
printf "$LINE\n" >> $UNSUCCFILE;
fi;
# Closure without Accepted/Rejected line (previous line was reported)
if [[ "$PrevSesID" != "$SesID" && "$PrevFlag" = "" ]]; then
Duration=`$PERLFILE "$DateTime" ""`;
LINE=$User";-;"$Duration";";
printf "$LINE\n" >> $WARNFILE;
fi;
# Closure without Accepted/Rejected line (previous line was not reported)
if [[ "$PrevSesID" != "$SesID" && "$PrevFlag" != "" ]]; then
Duration=`$PERLFILE "$PrevDateTime" ""`;
LINE=$PrevUser";"$PrevIPaddress";"$Duration";";
if [[ "$PrevFlag" = "A" ]]; then
printf "$LINE\n" >> $SUCCFILE;
fi;
if [[ "$PrevFlag" = "R" ]]; then
printf "$LINE\n" >> $UNSUCCFILE;
fi;
Duration=`$PERLFILE "$DateTime" ""`;
LINE=$User";-;"$Duration";";
printf "$LINE\n" >> $WARNFILE;
fi;
PrevDateTime=""; PrevSesID=""; PrevFlag=""; PrevIPaddress=""; PrevUser="";
;;
*)
LINE=';Unexpected flag'$Flag' Something is wrong!;;;;;;;;';
printf "$LINE\n" >> $UNSUCCFILE;
;;
esac;
done;
}
Below are some tips:
• A "accepted" entry means successful login, and a "rejected" entry means unsuccessful one, not a surprise. 🙂
• The log entry also includes information of the SAS clients, for example, IP address, port number, and SAS client name.
• Be aware of the escape letters in log entries, for example, "/" which can cause some trouble if it follows "n" or "t".
Furthermore, you can also customize the configuration file (logconfig.xml) to define your own formats of the log file to get more information and make the extraction easier.
My team used the Awk, Perl and Shell scripting to handle the character processing.
If you'd like to know more about it, just feel free to let me know.
Reference: SAS® 9.4 Logging: Configuration and Programming Reference, Second Edition
Best regards
Edward Jin
