On a UNIX system there are several files that contain details of logins, logouts and other significant events. Most have some binary data that makes it difficult to see the real data. Here are a few very simple PERL programs that can be used to format and print these files.

wtmp

See wtmp for information on formatting and printing /var/log/wtmp.

lastlog

The lastlog file is usually found in /var/log/lastlog and contains the following information:

• Date and time of last login
• Terminal line name
• Host user came from

The following one line PERL program will format and print /var/log/lastlog but it may need modification to work on your site.

perl -we '$recs = ""; while (<>) {$recs .= $_};$uid = 0;foreach (split(/(.{292})/s,$recs)) {next if length($_) == 0;my ($binTime,$line,$host) = $_ =~/(.{4})(.{32})(.{256})/;if (defined $line && $line =~ /\w/) {$line =~ s/\x00+//g;$host =~ s/\x00+//g;printf("%5d %s %8s %s\n",$uid,scalar(gmtime(unpack("I4",$binTime))),$line,$host)}$uid++}print"\n"' < /var/log/lastlog

The items that may need modification in order to format and print your lastlog file are:

• 292 - this should be changed to the length of each record on /var/log/lastlog. To find the record length, look in /usr/include/bits/utmp.h and add the values of UT_LINESIZE (probably 32), UT_HOSTSIZE (probably 256) and 4
• 32 - this should be changed to the value of UT_LINESIZE (probably 32) in /usr/include/bits/utmp.h
• 256 - this should be changed to the value of UT_HOSTSIZE (probably 256) in /usr/include/bits/utmp.h
• /var/log/lastlog - this should be the name of the lastlog file on your system - probably /var/log/lastlog

A typical output would be (note that the user's UID is displayed and not the user name)

				
    0 Tue Aug 29 09:42:03 2006    pts/1 cygnus2.hcidata.com
   89 Tue Aug 23 22:32:19 2005    ttyp2 host217-137-20-14.no-dns-yet.ntli.net
  500 Tue Sep 12 13:45:00 2006      ftp linux.hcidata.com
  502 Fri May  5 13:04:23 2006      ftp orion.hcidata.com
  515 Thu Apr 20 21:33:59 2006    pts/0 cygnus2.hcidata.com
  519 Wed Sep 21 14:26:36 2005    pts/1 orion.hcidata.com
  537 Wed Aug 30 19:35:59 2006    pts/1 cygnus2.hcidata.com
  538 Wed Sep 13 09:29:31 2006    pts/1 orion.hcidata.com
  539 Wed Sep 13 08:58:31 2006    pts/0 cygnus2.hcidata.com
  543 Sat Mar 18 12:23:38 2006    pts/1 orion.hcidata.com
  546 Wed Aug  9 15:22:18 2006    pts/2 cygnus2.hcidata.com
  550 Mon Sep  5 14:49:42 2005    pts/1 orion.hcidata.com
 1000 Wed Mar 23 17:31:07 2005    pts/1 host81-129-187-207.range81-129.btcentralplus.com
 1001 Wed Aug 24 15:06:39 2005    ttyp1 host86-129-108-103.range86-129.btcentralplus.com
 1002 Wed Aug 24 00:26:02 2005    ttyp2 host217-137-20-6.no-dns-yet.ntli.net
 1004 Thu Aug 14 12:45:04 2003    pts/1 m136-mp1.cvx2-c.lng.dial.ntli.net
 1008 Sun Aug  3 11:42:26 2003    pts/2 m104-mp3.cvx2-a.lng.dial.ntli.net
 1009 Fri Aug  1 19:09:50 2003    pts/0 m175-mp3.cvx2-a.lng.dial.ntli.net
 1010 Thu Jun  9 13:21:14 2005    ttyp3 mailgate.dpts.co.uk
 1011 Fri Jun 24 21:34:33 2005    ttyp1 spr1-pool2-3-0-cust105.cosh.broadband.ntl.com
 1012 Tue Jul 29 11:29:33 2003    pts/1 213.253.25.11
 1015 Sat Feb 28 15:06:46 2004    pts/0 host217-137-14-107.no-dns-yet.ntli.net
 1016 Mon Jul 28 17:07:56 2003    pts/3 213.253.25.11
 1018 Thu Jul 21 14:49:26 2005    ttyp1 host86-129-119-250.range86-129.btcentralplus.com
 1019 Wed Aug 24 00:14:05 2005    ttyp1 host217-137-20-14.no-dns-yet.ntli.net
 1020 Thu Feb 26 22:50:04 2004    pts/2 host217-137-24-39.no-dns-yet.ntli.net
 1021 Thu Mar 25 08:29:06 2004    pts/0 host217-137-14-81.no-dns-yet.ntli.net
 1022 Tue Aug  9 12:53:17 2005    ttyp1 host86-129-110-205.range86-129.btcentralplus.com
 1024 Mon Jul 18 15:47:08 2005    ttyp1 host217-137-20-2.no-dns-yet.ntli.net
 1025 Thu Jul 21 23:30:44 2005    ttyp2 host217-137-20-22.no-dns-yet.ntli.net