3

I have the lastlog from 100 machines that I need to parse. Since I have them all centrally located, is there a way to parse these? Or do I need to go back to each machine and type the "lastlog" command and then get the output?

Thank you.

linuxnoob
  • 33
  • 4
  • I can't tell from your question if you already have collected that information on a central log server, but in different files or that all your server are located in one DC. – HBruijn Dec 02 '14 at 15:00
  • You may prefer to collect `/var/log/wtmp` in the future, as `last` supports the `-f` option and the net result is similar data. – Aaron Copley Dec 02 '14 at 15:06
  • Possibly easier to use pam and syslog-ng.. – Grizly Dec 02 '14 at 20:33
  • http://www.kazamiya.net/bulk_extractor-rec/utmp – Ace Jul 15 '22 at 05:29

3 Answers3

0

A super-hacky solution is simply to backup your machine's /var/log/lastlog, and replace it with the file from a different machine. Run lastlog to view its contents, the replace the one from your machine

mv /var/log/lastlog /var/log/lastlog.real
cp /your/custom/lastlog /var/log/lastlog
lastlog
mv /var/log/lastlog.real /var/log/lastlog
Brandon
  • 131
  • 3
0
tail -n25 $(find /var/log/lastlog -maxdepth 1 -type f -mtime -1 | grep -v "wtmp" | grep -v "lastlog" ) |  more

Might be helpful

Ace
  • 419
  • 6
0

The standard lastlog command doesn't have an option to read an alternate lastlog data file but you could just grab the source for this and tweak it. Or use your favourite language to parse it - just standard utmp records.

Be aware that copying lastlog files around can result in large destination files if your users have high uids. By default lastlog files are sparse (so ls -l shows them as large but du -s reflects real size).

Paul Haldane
  • 4,457
  • 1
  • 20
  • 31
  • So I already have them copied over. I am not strong enough to grab the source and tweak it. And I don't know how to parse utmp records.. – linuxnoob Dec 02 '14 at 15:01