lastlog

Continuing on the thread of who logged in last, Richard Hamilton has provided a nice little C program to dump the contents of /var/adm/lastlog. Here's what he has to say about lastlog:

/var/adm/lastlog: this file is an array of fixed-sized binary records, containing a single timestamp (time of last login), the tty name, and for remote logins, the host name or IP (in text form, but only 16 characters long). The UID of the user is the record number. That means the file may appear gigantic, but it's actually sparse on disk, not nearly as large as it appears. But most copy/backup/archive utilities do not preserve sparseness, so they would produce a copy that was as large as it appeared.

I've attached the source for a program that will dump out this file in readable form. Remember, there's only one entry per UID, so it will show only the single most recent login time (even if they're logged in more than once at a time), and it does not show logouts. But with a fixed set of users, it doesn't grow, so people tend to leave it alone and not blow it away. In other words, it may not be all the information you want, but it's more likely to be there.

To build the program, you'll need a C compiler. If you don't already have one installed, there are several to choose from, but for this small C program I'm going with The GNU C compiler.

bleonard@os200906:~$ pfexec pkg install SUNWgcc
DOWNLOAD                                    PKGS       FILES     XFER (MB)
Completed                                    4/4   2100/2100   30.26/30.26 

PHASE                                        ACTIONS
Install Phase                              2537/2537 

Once SUNWgcc is installed, download lastlog.c and compile it as follows:

bleonard@os200906:~/Downloads$ gcc lastlog.c -o lastlog

Then run it to see the contents of /var/adm/lastlog:

bleonard@os200906:~/Downloads$ ./lastlog 
root       console  Fri Dec  5 18:47:28 2008 
bleonard   console  Wed Jul 14 11:26:48 2010 
karl       pts/5    Thu Jul 15 11:12:57 2010 10.0.1.9

Comments:

Why not just use fwtmp(1m), "fwtmp reads from the standard input and writes to the standard output, converting binary records of the type found in /var/adm/wtmpx to formatted ASCII records".

http://docs.sun.com/app/docs/doc/816-5166/fwtmp-1m?l=en&a=view

Posted by Steve on July 15, 2010 at 12:54 PM GMT #

The output for me of fwtmp isn't at all usable.

bleonard@opensolaris:~$ /usr/lib/acct/fwtmp < /var/adm/lastlog
��9Iconsole 0 0 0000 0000 0 0 0 0 Wed Dec 31 19:00:00 1969
0 0 0000 0000 0 0 0 0 Wed Dec 31 19:00:00 1969
0

Am I using the command incorrectly? Are you sure lastlog is written in the same binary format at wtmpx

Posted by Brian Leonard on July 15, 2010 at 02:27 PM GMT #

BTW, /var/adm/lastlog is NOT a public interface. It could go away eventually.

Think of ephemeral UIDs. Yes, we could make them work by updating a better database as well as lastlog, and then truncating lastlog at boot time. But still, you can see the danger of using lastlog directly.

Posted by Nico on July 16, 2010 at 01:43 PM GMT #

Brian : ahh yes, the /var/adm/lastlog is not in the same format as /var/adm/wtmpx.

But surely decoding wtmpx via fwtmp is the way to go ? It has all the details who logged in from where, and when.

Posted by Steve on July 17, 2010 at 03:28 AM GMT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.

Connect with Oracle Solaris:


Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today