HPE Community
Operating System - HP-UX
1847175 Members
5473 Online
110263 Solutions
New Discussion

Re: Last command

 
SOLVED
Go to solution
carl airiel
Advisor

‎01-10-2006 01:39 AM

‎01-10-2006 01:39 AM

Last command

I'm doing a security check using last command. I have successfully created the script. But I wanted to appear in my email notification the last 3 days of both unsuccessful and successful logins. The only command that I used is this "last -R | head -50" and "lastb -R | head -50" which displays 50 lines of the file. What Can I do to display at least 3 days of logins. Thanks
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎01-10-2006 01:44 AM

‎01-10-2006 01:44 AM

Solution

Re: Last command

Shalom carl,

last command includes a date display.

run your last output and grep for the last three days.

last | grep "Mar 17" for example.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Rick Garland
Honored Contributor

‎01-10-2006 01:47 AM

‎01-10-2006 01:47 AM

Re: Last command

In the majority of entries, the dates will be provided in fields $4 and $5. Beaware that some entries, like 'reboot' will throw in an extra field making the dates in $5 and $6.

Will want to parse out doing some date calculations.

Get a hold of Clay's date calculator, This will do the math for you then you can select those entries that match the results.

Reply
James R. Ferguson
Acclaimed Contributor

‎01-10-2006 01:54 AM

‎01-10-2006 01:54 AM

Re: Last command

Hi Carl:

If all you want is the last 3-days of login information, then you are going to have to parse that out.

You could use a simple 'grep' with multiple ('-e') patterns for instance.

If you want the last 3-days of *every* login no matter when the 3-days occured, I'd convert the binary file to ASCII with '/usr/sbin/acct/fwtmp' and use the epoch seconds to isolate the day ranges of interest on a per-user basis.

Examine the manpages for 'wtmps(4)' and 'fwtmp(1M)' for more information.

Regards!

...JRF...
Reply
Marco Santerre
Honored Contributor

‎01-10-2006 01:55 AM

‎01-10-2006 01:55 AM

Re: Last command

or if you are willing to put in a bit more work at set-up time, what we do over here is that every day we move a copy of the wtmp and btmp files, appending the date in the filename, over on a central server to protect the info, and we clear the local file at midnight. So then what you have is a file for each day. You can then use the last command using the -f option and specifying the file with the correct dates.
Cooperation is doing with a smile what you have to do anyhow.
Reply
Steve Steel
Honored Contributor

‎01-10-2006 02:11 AM

‎01-10-2006 02:11 AM

Re: Last command

Hi

Every night at 5 to midnight run script
on a directory where you have 3 files
rm oldest
mv older oldest
mv file older
last -R |grep "$(date| cut -f1-3 -d" ")" >
file

cat oldest
cat older
cat file

Same for bads

Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.