https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-quot-xdr-event-log-quot-quot-var-log-secure-quot/m-p/582385#M6455 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/263514">@frank.f.lu</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P><SPAN>"var/log/wtmp" contains the historical data regarding user login and logout events. For more details please refer linux documentation.</SPAN></P> Tue, 02 Apr 2024 15:59:56 GMT nsinghvirk 2024-04-02T15:59:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-quot-xdr-event-log-quot-quot-var-log-secure-quot/m-p/581793#M6414 <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> <P>Dear all,</P> <P>&nbsp;</P> <P>Does anyone know the log source for&nbsp;action_evtlog_provider_name = "var/log/wtmp"? As I know, wtmp is last log as follow:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="frankflu_0-1711511236457.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/58674iB99556370CC8D267/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="frankflu_0-1711511236457.png" alt="frankflu_0-1711511236457.png" /></span></P> <P>However, I find that the result is not only wtmp log but also secure successful log in cortex XDR:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="frankflu_1-1711511470023.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/58675i81C9C1AAA05AB773/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="frankflu_1-1711511470023.png" alt="frankflu_1-1711511470023.png" /></span></P> <P>&nbsp;</P> <P>So does anyone know the real log source for "var/log/wtmp" or the&nbsp;mechanism? Thanks a lot!</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 27 Mar 2024 03:54:28 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-quot-xdr-event-log-quot-quot-var-log-secure-quot/m-p/581793#M6414 frank.f.lu 2024-03-27T03:54:28Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-quot-xdr-event-log-quot-quot-var-log-secure-quot/m-p/582385#M6455 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/263514">@frank.f.lu</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P><SPAN>"var/log/wtmp" contains the historical data regarding user login and logout events. For more details please refer linux documentation.</SPAN></P> Tue, 02 Apr 2024 15:59:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-quot-xdr-event-log-quot-quot-var-log-secure-quot/m-p/582385#M6455 nsinghvirk 2024-04-02T15:59:56Z