System Administration
Showing results for 
Search instead for 
Did you mean: 

converting 'last' and 'lastb' date string

Go to solution

converting 'last' and 'lastb' date string

Can anyone think of a quick and easy way to convert the date and time stamp in the wtmp/btmp entries so that:


"Mon Jun  6 20:46 "


looks like


"2011/06/06 20:46:00"


We're using Net-Syslog-0.04 to send last/lastb output to ArcSight, perhaps someone is already doing this so that we don't have to reinvent the wheel?  :)  

Hein van den Heuvel
Honored Contributor

Re: converting 'last' and 'lastb' date string

If you want to roll your own, then you'll need something along the (perl example) lines of:


use strict;

my $y=1900+(localtime)[5];     # Pick up the current year
while (<>) {                   # for this example read terst data from stdin
  m /\s*\w+\s+(\w+)\s+(\d+)\s+(\S+)/;  # Match it!
  my $m=index( q(   JanFebMarAprMayJunJulAugSepOctNovDec),$1)/3; # Calculate month
  printf qq(%4d/%02d/%02d %s:00\n), $y, $m, $2, $3;

 Just as easily done in Awk or shell.

You may have to teachit to become timezone, and language aware.

Google for strftime and such functions for more help.




Re: converting 'last' and 'lastb' date string

I'm not sure if fwtmp(1M) output has a better date format?

James R. Ferguson
Acclaimed Contributor

Re: converting 'last' and 'lastb' date string



I agree with Dennis.  Using 'fwtmp' will also show the timestamp's in Epoch seconds which then becomes easily reformatted using 'strftime()' to any format you desire.  This also has the advantage of computing the correct year when 6-months of records cross a year's boundry.


# perl -MPOSIX -le 'print strftime "%m/%d/%Y %T",localtime(1309971149)'
07/06/2011 12:52:29





Re: converting 'last' and 'lastb' date string

Thanks to everyone who replied, these are great ideas and I will work off of these.  Appreciate the help!