Annie Tennis wrote: > I had a security incident on my network on Friday afternoon (01/03). I am > trying to track down a user via their IP address. When I login to the CAM, > I am able to associate a user to the IP address but the login time occurred > (01/04) after the incident occurred. However, I need to be certain that > this user is indeed the user using the IP at the time of the incident. Is > there a way I can look at the DHCP records? > > Thanks in advance. > Annie Tennis > Security Analyst > Franklin College > 317.738.8148 > SSH into the CAS for the network segment in question, and have a look in /var/log for the files dhcplog.*
An incident so recent would likely still be in dhcplog, but dhcplog.1, dhcplog.2, etc will take you back five weeks at the most. -- Regards, -- Cal Frye, Network Administrator, Oberlin College www.calfrye.com, www.pitalabs.com "Laugh alone and the world thinks you're an idiot."
