[Casper] Trolling the Logs

[Clinton Blackmore]

Greetings.

Feel free to scroll down to my (somewhat generic) question that comes  
after a bunch of specific pre-amble.


We (still) have an issue where students are unable to authenticate,  
which does not seem to be tied to which machine they are using or  
which user they are, and is alleviated when we reboot our open  
directory master.  I learned at a meeting the other day that the  
problem is much more widespread than I'd imagined.  [Incidentally, the  
promising instructions at http://discussions.apple.com/thread.jspa?messageID=8221483 
  did not repair our ODM, and we mean to replace it ASAP.]

I just found out about the "last" command, which shows how long users  
log in.  An a computer where issues occurred, the output shows:

CJHS-eMacLab-15 (192.168.20.75)
Leav695   console                   Wed Feb 25 14:33 - 15:18  (00:44)
Leav848   console                   Wed Feb 25 08:46 - 09:30  (00:44)
Sugd358   console                   Tue Feb 24 09:05 - 09:23  (00:17)
reboot    ~                         Mon Feb 23 13:28
Nels177   console                   Mon Feb 23 12:56 - crash  (00:32)
reboot    ~                         Mon Feb 23 12:54
Nels177   console                   Mon Feb 23 12:53 - crash  (00:01)
Zaug139   console                   Fri Feb 13 10:57 - 12:52 (10+01:54)
Smit292   console                   Fri Feb 13 10:03 - 10:57  (00:53)
Russ532   console                   Fri Feb 13 09:37 - 09:58  (00:21)
Gibb964   console                   Fri Feb 13 08:51 - 09:07  (00:16)
Wynd235   console                   Thu Feb 12 14:35 - 14:54  (00:18)
Schm734   console                   Thu Feb 12 13:42 - 14:29  (00:47)

It is obvious that Nels177 could not log in; he is listed as logged in  
for 1 and 32 seconds, and he rebooted the computer twice.

It is worth noting that the computer usage logs in casper show:

Computer Usage Logs | Back to top

   logout  	 Leav695  	 Wednesday, February 25 2009 at 3:18 PM
   login  	 Leav695  	 Wednesday, February 25 2009 at 2:33 PM
   logout  	 Leav848  	 Wednesday, February 25 2009 at 9:31 AM
   login  	 Leav848  	 Wednesday, February 25 2009 at 8:46 AM
   logout  	 Sugd358  	 Tuesday, February 24 2009 at 9:23 AM
   login  	 Sugd358  	 Tuesday, February 24 2009 at 9:05 AM
   startup  	   	 Monday, February 23 2009 at 1:29 PM
   login  	 Nels177  	 Monday, February 23 2009 at 12:56 PM
   startup  	   	 Monday, February 23 2009 at 12:55 PM
   login  	 Nels177  	 Monday, February 23 2009 at 12:53 PM
   logout  	 Zaug139  	 Monday, February 23 2009 at 12:52 PM

Interesting.  They show that he did log in and that the next action  
was that the computer restarted.  Here I thought Casper missed the  
event entirely.


The Question:

I have created a policy to run the "last" command on all of our  
computers, and it will create a number of logs for each computer (each  
day).  Does anyone have any advice on how to troll through the data?

I might be able to go to the policy log page and download every link  
from it (page after page), either manually (shudder) or with a script  
(maybe using twill).

Alternatively, I have granted myself access to the MySQL database that  
Casper is using.  I have been able to get at snippets of the data in  
that way.

So, does anyone troll their logs for data in ways like this, and if  
so, do you have any advice to offer (before I spend a fair chunk of  
time seeing if I can get data into files and grep it or figure out how  
to do some non-beginner SQL searches on it)?  Or is there another  
method altogether that I should look into?

Thank you,
Clinton Blackmore




This email has been scanned by Barracuda Network's Anti-Virus and Spam Firewall.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090227/41604291/attachment.html