Get last SAS logins of users and clients

1 Like

In this message, I'd like to introduce a way to get last SAS logins of users and clients from the log file of SAS Metadata Server, the output looks like UNIX command "last" or "lastb". Generally, there are many ways and tools to get the login history, for example some third party's tools which can provide extended and customized information. But some of these tools are not free. So, today we'll talk about a "home-made" solution to get the SAS logins of the users and clients.

Before that, let's talk about some background knowledge. If you've already known it, you can jump to the next paragraph. For SAS metadata server, each of the login attempts will be recorded to SAS Metadata Server log file, which is located at <SAS CONFIG DIR>/Lev1/SASMeta/MetadataServer/Logs. The login attempts can be initiated from SAS Clients(for example SAS Enterprise Guide) or SAS batch jobs, which try to connect to SAS Metadata Sever. In each attempt, by default, the following information will be displayed:

Description	Log entry
Successful login	2016-04-15T10:09:46,586 INFO [00183402] :testuser1 - New client connection (13015) accepted from server port 8591 for user sasuser1. Encryption level is Credentials using encryption algorithm SASProprietary. Peer IP address and port are [::ffff:192.168.6.26]:49254 for APPNAME=SAS Enterprise Guide.
Unsuccessful login	2016-05-20T12:05:52,248 WARN [00009359] :sas - New client connection (179) rejected from server port 8561 for user testuser2. Peer IP address and port are [::ffff:192.168.46.70]:52769 for APPNAME=SAS Enterprise Guide.

And, the log file naming policy is defined as "SASMeta_MetadataServer_%d_%S{hostname}_%S{pid}.log", for example:

Within the log file, the log entries are defined in configuration file <SAS CONFIG DIR>/Lev1/SASMeta/MetadataServer/logconfig.xml as follow:
<param name="ConversionPattern" value="%d %-5p [%t] %X{Client.ID}:%u - %m"/>

And the description of relevant parameters are listed as follows:

Parameters	Description
%d	Reports the date of the log event. For the ConversionPattern parameter, the ISO8601 format, which is represented as yyyy-MM-dd HH:mm:ss,SSS For the FileNamePattern parameter, yyyy-MM-dd.
%-5p	Reports the level of the log event. Here are the supported levels: • TRACE • DEBUG • INFO • WARN • ERROR • FATAL
%t	Reports the identifier of the thread that generated the log event.
%X{Client.ID}	Reports the connection ID that is associated with the connecting client.
%u	Reports the client identity that is associated with the current thread or task.
%m	Writes the messages that are associated with the log event.

After you understand the background knowledge, the extraction is mainly regarding character processing. You can easily get the information from the log file as you need. According to the log files, we can start extracting the last logins. Because our environment is UNIX, we use Shell script to deal with the log file, the following piece of code is used to read and parse the log file:

function read_and_parse
{
  IFS=';';
  PrevDateTime=""; PrevSesID=""; PrevFlag=""; PrevIPaddress=""; PrevUser="";
  sort -t";" -k5n,5 -k2,2 -k1,1 <&6 | while read -r Flag DateTime User TransID SesID IPaddress
  do
      case $Flag in
      A)
#       NO Closure identified for previous line
         if [[ "$PrevFlag" != "" ]]; then
            Duration=`$PERLFILE "$PrevDateTime" ""`;
            LINE=$PrevUser";"$PrevIPaddress";"$Duration";";
            printf "$LINE\n" >> $SUCCFILE;
         fi;
         PrevDateTime=$DateTime; PrevSesID=$SesID; PrevFlag=$Flag; PrevIPaddress=$IPaddress; PrevUser=$User;
         ;;
      R)
#       NO Closure identified for previous line
         if [[ "$PrevFlag" != "" ]]; then
            Duration=`$PERLFILE "$PrevDateTime" ""`;
            LINE=$PrevUser";"$PrevIPaddress";"$Duration";";
            printf "$LINE\n" >> $UNSUCCFILE;
         fi;
         PrevDateTime=$DateTime; PrevSesID=$SesID; PrevFlag=$Flag; PrevIPaddress=$IPaddress; PrevUser=$User;
         ;;
      S)
#       Closure for Accepted line
         if [[ "$PrevSesID" = "$SesID" && "$PrevFlag" = "A" ]]; then
            LINE=$PrevUser";"$PrevIPaddress;
            Duration=`$PERLFILE "$PrevDateTime" "$DateTime"`;
            LINE=$LINE";"$Duration";";
            printf "$LINE\n" >> $SUCCFILE;
         fi;
#       Closure for Rejected Line
         if [[ "$PrevSesID" = "$SesID" && "$PrevFlag" = "R" ]]; then
            LINE=$PrevUser";"$PrevIPaddress;
            Duration=`$PERLFILE "$PrevDateTime" ""`;
            LINE=$LINE";"$Duration";";
            printf "$LINE\n" >> $UNSUCCFILE;
         fi;
#       Closure without Accepted/Rejected line (previous line was reported)
         if [[ "$PrevSesID" != "$SesID" && "$PrevFlag" = "" ]]; then
            Duration=`$PERLFILE "$DateTime" ""`;
            LINE=$User";-;"$Duration";";
            printf "$LINE\n" >> $WARNFILE;
         fi;
#       Closure without Accepted/Rejected line (previous line was not reported)
         if [[ "$PrevSesID" != "$SesID" && "$PrevFlag" != "" ]]; then
            Duration=`$PERLFILE "$PrevDateTime" ""`;
            LINE=$PrevUser";"$PrevIPaddress";"$Duration";";
            if [[ "$PrevFlag" = "A" ]]; then
               printf "$LINE\n" >> $SUCCFILE;
            fi;
            if [[ "$PrevFlag" = "R" ]]; then
               printf "$LINE\n" >> $UNSUCCFILE;
            fi;
            Duration=`$PERLFILE "$DateTime" ""`;
            LINE=$User";-;"$Duration";";
            printf "$LINE\n" >> $WARNFILE;
         fi;
         PrevDateTime=""; PrevSesID=""; PrevFlag=""; PrevIPaddress=""; PrevUser="";
         ;;
      *)
         LINE=';Unexpected flag'$Flag' Something is wrong!;;;;;;;;';
         printf "$LINE\n" >> $UNSUCCFILE;
         ;;
      esac;
  done;
}

Below are some tips:
• A "accepted" entry means successful login, and a "rejected" entry means unsuccessful one, not a surprise. 🙂
• The log entry also includes information of the SAS clients, for example, IP address, port number, and SAS client name.
• Be aware of the escape letters in log entries, for example, "/" which can cause some trouble if it follows "n" or "t".

Furthermore, you can also customize the configuration file (logconfig.xml) to define your own formats of the log file to get more information and make the extraction easier.

My team used the Awk, Perl and Shell scripting to handle the character processing.
If you'd like to know more about it, just feel free to let me know.

Reference: SAS® 9.4 Logging: Configuration and Programming Reference, Second Edition

Best regards
Edward Jin

srikamall · ‎05-04-2017

Hi Edward,

You posting/article was useful on generating SAS users with their "last login" info from the Metadata Log files. I wish to understand that the UNIX script provied is 'complete' one. Can you share the full script and the steps to run this script.

Regards

Gordhan · ‎09-29-2017

Hi,

can we have user login details in sas dataset format. We are planing to create report only for successfully login and logout users.

With the help of below code we are trying to create dataset for user login details but we are unable to do it.

Below is the Code & Error:

Code:

libname myxml2 xml '/sasdata/sasconf/config/Lev1/SASMeta/MetadataServer/Logs/SASMeta_MetadataServer_2017-09-12_sas-namenode_32758.log' ;

proc datasets library=myxml2;

quit;

data wrsaudit31012013;

set myxml2.Event;

run;

ERROR: "myxml2 library is not assigned".

Hasina · ‎12-12-2017

Hi Gordhan,

I believe the mistake in the above code is, Library reference is always done at the folder level.

eg:

libname myxml2 xml '/sasdata/sasconf/config/Lev1/SASMeta/MetadataServer/Logs';

Check this out and let me know. Thanks!

Sandhya55 · ‎10-29-2021

Will the logs be created every day for the SASApp..bcz inour system i see logs are not created everyday ..can u pls help how to create logs every day

Get last SAS logins of users and clients

Free course: Data Literacy Essentials

Get Started