We’re smarter together. Learn from this collection of community knowledge and add your expertise.

Get last SAS logins of users and clients

by Occasional Contributor EdwardJin ‎04-24-2017 02:04 AM - edited ‎04-24-2017 10:54 PM (1,455 Views)

 In this message, I'd like to introduce a way to get last SAS logins of users and clients from the log file of SAS Metadata Server, the output looks like UNIX command "last" or "lastb". Generally, there are many ways and tools to get the login history, for example some third party's tools which can provide extended and customized information. But some of these tools are not free. So, today we'll talk about a "home-made" solution to get the SAS logins of the users and clients.

 

Before that, let's talk about some background knowledge. If you've already known it, you can jump to the next paragraph. For SAS metadata server, each of the login attempts will be recorded to SAS Metadata Server log file, which is located at <SAS CONFIG DIR>/Lev1/SASMeta/MetadataServer/Logs. The login attempts can be initiated from SAS Clients(for example SAS Enterprise Guide) or SAS batch jobs, which try to connect to SAS Metadata Sever. In each attempt, by default, the following information will be displayed:

Description   Log entry
Successful login 2016-04-15T10:09:46,586 INFO [00183402] :testuser1 - New client connection (13015) accepted from server port 8591 for user sasuser1. Encryption level is Credentials using encryption algorithm SASProprietary. Peer IP address and port are [::ffff:192.168.6.26]:49254 for APPNAME=SAS Enterprise Guide.
Unsuccessful login 2016-05-20T12:05:52,248 WARN  [00009359] :sas - New client connection (179) rejected from server port 8561 for user testuser2. Peer IP address and port are [::ffff:192.168.46.70]:52769 for APPNAME=SAS Enterprise Guide. 

 

And, the log file naming policy is defined as "SASMeta_MetadataServer_%d_%S{hostname}_%S{pid}.log", for example:

sas_eg_hist.jpg

 

Within the log file, the log entries are defined in configuration file <SAS CONFIG DIR>/Lev1/SASMeta/MetadataServer/logconfig.xml as follow:
<param name="ConversionPattern" value="%d %-5p [%t] %X{Client.ID}:%u - %m"/>

 

And the description of relevant parameters are listed as follows:

Parameters Description
%d Reports the date of the log event.
For the ConversionPattern parameter, the ISO8601 format, which is represented as yyyy-MM-dd HH:mm:ss,SSS
For the FileNamePattern parameter, yyyy-MM-dd.
%-5p Reports the level of the log event.
Here are the supported levels:
• TRACE
• DEBUG
• INFO
• WARN
• ERROR
• FATAL
%t Reports the identifier of the thread that generated the log event.
%X{Client.ID} Reports the connection ID that is associated with the connecting client.
%u Reports the client identity that is associated with the current thread or task.
%m

Writes the messages that are associated with the log event.

 

After you understand the background knowledge, the extraction is mainly regarding character processing. You can easily get the information from the log file as you need. According to the log files, we can start extracting the last logins. Because our environment is UNIX, we use Shell script to deal with the log file, the following piece of code is used to read and parse the log file:

function read_and_parse
{
  IFS=';';
  PrevDateTime=""; PrevSesID=""; PrevFlag=""; PrevIPaddress=""; PrevUser="";
  sort -t";" -k5n,5 -k2,2 -k1,1 <&6 | while read -r Flag DateTime User TransID SesID IPaddress
  do
      case $Flag in
      A)
#       NO Closure identified for previous line
         if [[ "$PrevFlag" != "" ]]; then
            Duration=`$PERLFILE "$PrevDateTime" ""`;
            LINE=$PrevUser";"$PrevIPaddress";"$Duration";";
            printf "$LINE\n" >> $SUCCFILE;
         fi;
         PrevDateTime=$DateTime; PrevSesID=$SesID; PrevFlag=$Flag; PrevIPaddress=$IPaddress; PrevUser=$User;
         ;;
      R)
#       NO Closure identified for previous line
         if [[ "$PrevFlag" != "" ]]; then
            Duration=`$PERLFILE "$PrevDateTime" ""`;
            LINE=$PrevUser";"$PrevIPaddress";"$Duration";";
            printf "$LINE\n" >> $UNSUCCFILE;
         fi;
         PrevDateTime=$DateTime; PrevSesID=$SesID; PrevFlag=$Flag; PrevIPaddress=$IPaddress; PrevUser=$User;
         ;;
      S)
#       Closure for Accepted line
         if [[ "$PrevSesID" = "$SesID" && "$PrevFlag" = "A" ]]; then
            LINE=$PrevUser";"$PrevIPaddress;
            Duration=`$PERLFILE "$PrevDateTime" "$DateTime"`;
            LINE=$LINE";"$Duration";";
            printf "$LINE\n" >> $SUCCFILE;
         fi;
#       Closure for Rejected Line
         if [[ "$PrevSesID" = "$SesID" && "$PrevFlag" = "R" ]]; then
            LINE=$PrevUser";"$PrevIPaddress;
            Duration=`$PERLFILE "$PrevDateTime" ""`;
            LINE=$LINE";"$Duration";";
            printf "$LINE\n" >> $UNSUCCFILE;
         fi;
#       Closure without Accepted/Rejected line (previous line was reported)
         if [[ "$PrevSesID" != "$SesID" && "$PrevFlag" = "" ]]; then
            Duration=`$PERLFILE "$DateTime" ""`;
            LINE=$User";-;"$Duration";";
            printf "$LINE\n" >> $WARNFILE;
         fi;
#       Closure without Accepted/Rejected line (previous line was not reported)
         if [[ "$PrevSesID" != "$SesID" && "$PrevFlag" != "" ]]; then
            Duration=`$PERLFILE "$PrevDateTime" ""`;
            LINE=$PrevUser";"$PrevIPaddress";"$Duration";";
            if [[ "$PrevFlag" = "A" ]]; then
               printf "$LINE\n" >> $SUCCFILE;
            fi;
            if [[ "$PrevFlag" = "R" ]]; then
               printf "$LINE\n" >> $UNSUCCFILE;
            fi;
            Duration=`$PERLFILE "$DateTime" ""`;
            LINE=$User";-;"$Duration";";
            printf "$LINE\n" >> $WARNFILE;
         fi;
         PrevDateTime=""; PrevSesID=""; PrevFlag=""; PrevIPaddress=""; PrevUser="";
         ;;
      *)
         LINE=';Unexpected flag'$Flag' Something is wrong!;;;;;;;;';
         printf "$LINE\n" >> $UNSUCCFILE;
         ;;
      esac;
  done;
}

 

 

Below are some tips:
• A "accepted" entry means successful login, and a "rejected" entry means unsuccessful one, not a surprise. :)
• The log entry also includes information of the SAS clients, for example, IP address, port number, and SAS client name.
• Be aware of the escape letters in log entries, for example, "/" which can cause some trouble if it follows "n" or "t".

 

Furthermore, you can also customize the configuration file (logconfig.xml) to define your own formats of the log file to get more information and make the extraction easier.

 

My team used the Awk, Perl and Shell scripting to handle the character processing.
If you'd like to know more about it, just feel free to let me know.

 


Reference: SAS® 9.4 Logging: Configuration and Programming Reference, Second Edition

 


Best regards
Edward Jin

Comments
by Senior User srikamall
on ‎05-04-2017 10:00 PM

Hi Edward,

You posting/article was useful on generating SAS users with their "last login" info from the Metadata Log files.  I wish to understand that the UNIX script provied is 'complete' one.   Can you share the full script and the steps to run this script.

Regards

 

Contributors
Your turn
Sign In!

Want to write an article? Sign in with your profile.