By Brian Leonard on Jul 15, 2010
Continuing on the thread of who logged in last, Richard Hamilton has provided a nice little C program to dump the contents of /var/adm/lastlog. Here's what he has to say about lastlog:
/var/adm/lastlog: this file is an array of fixed-sized binary records, containing a single timestamp (time of last login), the tty name, and for remote logins, the host name or IP (in text form, but only 16 characters long). The UID of the user is the record number. That means the file may appear gigantic, but it's actually sparse on disk, not nearly as large as it appears. But most copy/backup/archive utilities do not preserve sparseness, so they would produce a copy that was as large as it appeared.
I've attached the source for a program that will dump out this file in readable form. Remember, there's only one entry per UID, so it will show only the single most recent login time (even if they're logged in more than once at a time), and it does not show logouts. But with a fixed set of users, it doesn't grow, so people tend to leave it alone and not blow it away. In other words, it may not be all the information you want, but it's more likely to be there.
To build the program, you'll need a C compiler. If you don't already have one installed, there are several to choose from, but for this small C program I'm going with The GNU C compiler.
bleonard@os200906:~$ pfexec pkg install SUNWgcc DOWNLOAD PKGS FILES XFER (MB) Completed 4/4 2100/2100 30.26/30.26 PHASE ACTIONS Install Phase 2537/2537
Once SUNWgcc is installed, download lastlog.c and compile it as follows:
bleonard@os200906:~/Downloads$ gcc lastlog.c -o lastlog
Then run it to see the contents of /var/adm/lastlog:
bleonard@os200906:~/Downloads$ ./lastlog root console Fri Dec 5 18:47:28 2008 bleonard console Wed Jul 14 11:26:48 2010 karl pts/5 Thu Jul 15 11:12:57 2010 10.0.1.9