X

News, tips, partners, and perspectives for the Oracle Solaris operating system

lastlog

Guest Author

Continuing on the thread of who logged in last, Richard Hamilton has provided a nice little C program to dump the contents of /var/adm/lastlog. Here's what he has to say about lastlog:

/var/adm/lastlog:
this file is an array of fixed-sized binary records, containing a
single timestamp (time of last login), the tty name, and for remote
logins, the host name or IP (in text form, but only 16 characters
long). The UID of the user is the record number. That means the file
may appear gigantic, but it's actually sparse on disk, not nearly as
large as it appears. But most copy/backup/archive utilities do not
preserve sparseness, so they would produce a copy that was as large as
it appeared.

I've attached the source for a program that will
dump out this file in readable form. Remember, there's only one entry
per UID, so it will show only the single most recent login time (even
if they're logged in more than once at a time), and it does not show
logouts. But with a fixed set of users, it doesn't grow, so people tend
to leave it alone and not blow it away. In other words, it may not be
all the information you want, but it's more likely to be there.

To
build the program, you'll need a C compiler. If you don't
already have one installed, there are several to choose from, but for
this small C program I'm going with The GNU C compiler.

bleonard@os200906:~$ pfexec pkg install SUNWgcc
DOWNLOAD PKGS FILES XFER (MB)
Completed 4/4 2100/2100 30.26/30.26
PHASE ACTIONS
Install Phase 2537/2537

Once SUNWgcc is installed, download lastlog.c and compile it as follows:

bleonard@os200906:~/Downloads$ gcc lastlog.c -o lastlog

Then run it to see the contents of /var/adm/lastlog:

bleonard@os200906:~/Downloads$ ./lastlog 
root console Fri Dec 5 18:47:28 2008
bleonard console Wed Jul 14 11:26:48 2010
karl pts/5 Thu Jul 15 11:12:57 2010 10.0.1.9

Join the discussion

Comments ( 3 )
  • Brian Leonard Thursday, July 15, 2010

    The output for me of fwtmp isn't at all usable.

    bleonard@opensolaris:~$ /usr/lib/acct/fwtmp < /var/adm/lastlog

    ��9Iconsole 0 0 0000 0000 0 0 0 0 Wed Dec 31 19:00:00 1969

    0 0 0000 0000 0 0 0 0 Wed Dec 31 19:00:00 1969

    0

    Am I using the command incorrectly? Are you sure lastlog is written in the same binary format at wtmpx


  • Nico Friday, July 16, 2010

    BTW, /var/adm/lastlog is NOT a public interface. It could go away eventually.

    Think of ephemeral UIDs. Yes, we could make them work by updating a better database as well as lastlog, and then truncating lastlog at boot time. But still, you can see the danger of using lastlog directly.


  • Steve Saturday, July 17, 2010

    Brian : ahh yes, the /var/adm/lastlog is not in the same format as /var/adm/wtmpx.

    But surely decoding wtmpx via fwtmp is the way to go ? It has all the details who logged in from where, and when.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.