[opensuse] /var/log/wtmp (rotated files & "last")
We had some problems with our mail server, and a lot of our e-mails were lost, so I am resending this post - *** Disclaimer *** The information contained in this e-mail is confidential and legally privileged and is intended solely for the addressee and to others who have the authority to receive it. Access to this e-mail by anyone else is unauthorized and as such, any disclosure, copying, distribution or any action taken or omitted in reliance on it is unlawful. If you have received this e-mail in error, please notify the sender immediately. The views expressed in this e-mail are the views of the individual sender and should in no way be construed as the views of the Company. The Company is not liable to ensure that outgoing e-mails are virus-free. The Company is not liable, should information or data, for whatever reason, be corrupted or fail to reach its intended addressee. The Company is not liable for any loss or damage of whatsoever nature and howsoever arising resulting from the opening or the use of the information in this e-mail, including its attachments and links. The sender of this e-mail is subject to and bound by the terms and conditions of Company+IBk-s Electronic Communications Usage Policy. From: Per Jessen [mailto:per@computer.org] Sent: 23 April 2008 07:56 AM To: Dirk Moolman Cc: opensuse@opensuse.org Subject: Re: [opensuse] /var/log/wtmp ("last" info not complete)
Dirk Moolman wrote:
=20
It will rotate whenever the file is bigger then 400K. The logrotate
process is usually done once per day - check your /etc/cron.daily=20 directory. =20 Where will I find the old files ? =20
They are typically left in the same directory as the logfile being rotated, >although I think there is an option for having them moved elsewhere. If >you're rotating /var/log/wtmp, I would expect to find a few /var/log/wtmp->2008mmdd.gz (depending on how often you rotate).
/Per
I have found the old (rotated) wtmp files (a sample is listed below) Question: The "last" command only reads from /var/log/wtmp. How can I get last to also read from the old log files ..... my problem is that I need login history on a specific login for the last 6 months. Sample files: -rw-rw-r-- 1 root tty 44173 Apr 4 04:15 /var/log/wtmp-20080404.gz -rw-rw-r-- 1 root tty 45198 Apr 8 04:15 /var/log/wtmp-20080408.gz -rw-rw-r-- 1 root tty 46395 Apr 10 04:15 /var/log/wtmp-20080410.gz -rw-rw-r-- 1 root tty 45049 Apr 12 04:15 /var/log/wtmp-20080412.gz -rw-rw-r-- 1 root tty 46188 Apr 16 04:15 /var/log/wtmp-20080416.gz -rw-rw-r-- 1 root tty 27670 Apr 17 04:15 /var/log/wtmp-20080417.gz -rw-rw-r-- 1 root tty 32583 Apr 18 04:15 /var/log/wtmp-20080418.gz -rw-rw-r-- 1 root tty 52222 Apr 22 04:15 /var/log/wtmp-20080422.gz -rw-rw-r-- 1 root tty 25232 Apr 23 04:15 /var/log/wtmp-20080423.gz -rw-rw-r-- 1 root tty 499968 Apr 24 11:08 /var/log/wtmp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dirk Moolman wrote:
I have found the old (rotated) wtmp files (a sample is listed below)
Question: The "last" command only reads from /var/log/wtmp. How can I get last to also read from the old log files ..... my problem is that I need login history on a specific login for the last 6 months.
You can use the '-f' option on last or you can just zgrep through the rotated logfiles. /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Thank you Per. I took the -f option, and wrote a script to do this for me - not very pretty, but it does the job. Basic steps I followed: 1. copied all the compressed (.gz) files into a temporary folder 2. unzipped all of them 3. for i in `ls -la wtmp* | awk '{print $9}'` do last -f $i my_login done -----Original Message----- From: Per Jessen [mailto:per@computer.org] Sent: 24 April 2008 12:33 PM To: opensuse@opensuse.org Subject: Re: [opensuse] /var/log/wtmp (rotated files & "last") Dirk Moolman wrote:
I have found the old (rotated) wtmp files (a sample is listed below)
Question: The "last" command only reads from /var/log/wtmp. How can I get last to also read from the old log files ..... my problem is that I need login history on a specific login for the last 6 months.
You can use the '-f' option on last or you can just zgrep through the rotated logfiles. /Per Jessen, Z+APw-rich -- To unsubscribe, e-mail: opensuse+-unsubscribe@opensuse.org For additional commands, e-mail: opensuse+-help@opensuse.org *** Disclaimer *** The information contained in this e-mail is confidential and legally privileged and is intended solely for the addressee and to others who have the authority to receive it. Access to this e-mail by anyone else is unauthorized and as such, any disclosure, copying, distribution or any action taken or omitted in reliance on it is unlawful. If you have received this e-mail in error, please notify the sender immediately. The views expressed in this e-mail are the views of the individual sender and should in no way be construed as the views of the Company. The Company is not liable to ensure that outgoing e-mails are virus-free. The Company is not liable, should information or data, for whatever reason, be corrupted or fail to reach its intended addressee. The Company is not liable for any loss or damage of whatsoever nature and howsoever arising resulting from the opening or the use of the information in this e-mail, including its attachments and links. The sender of this e-mail is subject to and bound by the terms and conditions of Company+IBk-s Electronic Communications Usage Policy. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 2008-04-24 12:58, Dirk Moolman wrote:
Thank you Per. I took the -f option, and wrote a script to do this for me - not very pretty, but it does the job.
Basic steps I followed:
1. copied all the compressed (.gz) files into a temporary folder 2. unzipped all of them
3. for i in `ls -la wtmp* | awk '{print $9}'`
This is so fugly. ls output is nowhere the same, please use `find wtmp*` instead. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Dirk Moolman -
Jan Engelhardt -
Per Jessen