HCI Data Ltd
Formatting and Printing Wtmp
Home Internet Tools

On a UNIX system there are several files that contain details of logins, logouts and other significant events. Most have some binary data that makes it difficult to see the real data. Here are a few very simple PERL programs that can be used to format and print these files.

lastlog

See lastlog for information on formatting and printing /var/log/lastlog.

wtmp

The wtmp log file is usually found in /var/log/wtmp and contains the following information:

  • Activity code (e.g. login, logout, boot)
  • PID
  • Date and time of last login
  • Terminal line name
  • Host user came from

The following one line PERL program will format and print /var/log/wtmp but it may need modification to work on your site.

perl -we '@type=("Empty","Run Lvl","Boot","New Time","Old Time","Init","Login","Normal","Term","Account");$recs = ""; while (<>) {$recs .= $_};foreach (split(/(.{384})/s,$recs)) {next if length($_) == 0;my ($type,$pid,$line,$inittab,$user,$host,$t1,$t2,$t3,$t4,$t5) = $_ =~/(.{4})(.{4})(.{32})(.{4})(.{32})(.{256})(.{4})(.{4})(.{4})(.{4})(.{4})/s;if (defined $line && $line =~ /\w/) {$line =~ s/\x00+//g;$host =~ s/\x00+//g;$user =~ s/\x00+//g;printf("%s %-8s %-12s %10s %-45s \n",scalar(gmtime(unpack("I4",$t3))),$type[unpack("I4",$type)],$user,$line,$host)}}print"\n"' < /var/log/wtmp

The items that may need modification in order to format and print your lastlog file are:

  • 384 - this should be changed to the length of each record on /var/log/wtmp.
  • 32 - this should be changed to the value of UT_LINESIZE (probably 32) in /usr/include/bits/utmp.h
  • 32 - this should be changed to the value of UT_NAMESIZE](probably 32) in /usr/include/bits/utmp.h
  • 256 - this should be changed to the value of UT_HOSTSIZE (probably 256) in /usr/include/bits/utmp.h
  • /var/log/wtmp - this should be the name of the lastlog file on your system - probably /var/log/wtmp

A typical output would be:

       
Tue Sep 12 10:50:23 2006 Normal   x23456u        ftpd9915 217.154.59.173
Tue Sep 12 10:55:04 2006 Term                       ttyp0
Tue Sep 12 10:55:14 2006 Normal   w23456u           ttyp0 host86-129-123-5.range86-129.btcentralplus.com
Tue Sep 12 10:55:35 2006 Term                    ftpd9915 217.154.59.173
Tue Sep 12 11:45:00 2006 Term                       ttyp0
Tue Sep 12 12:15:25 2006 Normal   v23456u          ttyp0 host86-129-123-5.range86-129.btcentralplus.com
Tue Sep 12 12:45:56 2006 Term                       ttyp0
Tue Sep 12 12:46:18 2006 Normal   h23456u           ttyp0 host86-129-123-5.range86-129.btcentralplus.com
Tue Sep 12 15:34:36 2006 Login    LOGIN              tty1
Tue Sep 12 15:34:36 2006 Login    LOGIN              tty2
Tue Sep 12 15:34:36 2006 Login    LOGIN              tty3
Tue Sep 12 15:34:36 2006 Login    LOGIN              tty4
Tue Sep 12 15:34:36 2006 Login    LOGIN              tty5
Tue Sep 12 15:34:36 2006 Login    LOGIN              tty6
Tue Sep 12 15:34:43 2006 Normal   h23456u           ttyp0 host86-129-123-5.range86-129.btcentralplus.com
Tue Sep 12 15:45:07 2006 Normal   h23456u        ftpd1174 host86-129-123-5.range86-129.btcentralplus.com
Tue Sep 12 15:45:11 2006 Term                    ftpd1174 host86-129-123-5.range86-129.btcentralplus.com
Tue Sep 12 16:13:01 2006 Normal   h23456u           ttyp1 proton.positive-internet.com
Tue Sep 12 16:13:16 2006 Term                       ttyp1
Tue Sep 12 16:13:23 2006 Normal   h23456u           ttyp1 proton.positive-internet.com
Tue Sep 12 17:03:07 2006 Term                       ttyp0


HCI Data Ltd is a member of the Federation of Small Businesses
Last Updated : Wednesday, 12-Sep-2007
HCI Data Ltd.

Valid XHTML 1.0! Valid CSS!