HPE Community
Operating System - HP-UX
1834481 Members
3455 Online
110067 Solutions
New Discussion

search inactive users

 
Emir Faisal
Frequent Advisor

‎05-30-2004 11:34 PM

‎05-30-2004 11:34 PM

search inactive users

Hi,
how search "who has logged in for the last 3 month" ? I've tried 'last', but it doesn't have any 'year' information.
Everything is possible, if you don't know what you're talking about.
0 Kudos
Reply
13 REPLIES 13
Manish Srivastava
Trusted Contributor

‎05-30-2004 11:45 PM

‎05-30-2004 11:45 PM

Re: search inactive users

Hi,

You can use the who(1) command to find the time the user logged into the system. It gives the date and time the use logged into the system,

man who will help.

manish.
0 Kudos
Reply
Jose Mosquera
Honored Contributor

‎05-31-2004 12:01 AM

‎05-31-2004 12:01 AM

Re: search inactive users

Hi,

The "last" command output depend of the info logged into /var/adm/wtmp file. May be this file is too big or corrupted. To fix:
# cp /dev/null /var/adm/wtmp

Other way to check last logig date will be checking the timestamp of .sh_history into $HOME directory of each user. Off course, for this, users must be active history log.

Rgds.
0 Kudos
Reply
Emir Faisal
Frequent Advisor

‎05-31-2004 12:21 AM

‎05-31-2004 12:21 AM

Re: search inactive users

I've read the man page, but I can't make it display any year information. It only print 31 May without year.
Maybe I miss something from the man page ? I use "who -a".
Everything is possible, if you don't know what you're talking about.
0 Kudos
Reply
Emir Faisal
Frequent Advisor

‎05-31-2004 12:29 AM

‎05-31-2004 12:29 AM

Re: search inactive users

is "cp /dev/null /var/adm/wtmp" will zero my login record ? This is not what i want.

command line history mostly turned off on our system.
Everything is possible, if you don't know what you're talking about.
0 Kudos
Reply
Jose Mosquera
Honored Contributor

‎05-31-2004 12:41 AM

‎05-31-2004 12:41 AM

Re: search inactive users

Hi again,

If the year is not indicated, asummes that is the current year.

Previously you had not been especific for your issue, for that reason I thought that the problem was of corruption of the file and I suggested you to copy /dev/null. So pls do not copy null in your case.

Try to be full explicit in your issue description.

Rgds.
0 Kudos
Reply
Emir Faisal
Frequent Advisor

‎05-31-2004 12:52 AM

‎05-31-2004 12:52 AM

Re: search inactive users

Hi,
I'm sorry for not being clear enough describing my problems. I want to know who has (and hasn't) logged in to the machine for the last 3 month. This machine alive from 2001 with /var/adm/wtmp around 34906800 bytes.

My temporary solution is:

$ cat /var/adm/wtmp | /usr/sbin/acct/fwtmp

and parse the result with some perl script.

I'm looking for nicer solutions :D.

rgrds,
EF
Everything is possible, if you don't know what you're talking about.
0 Kudos
Reply
Jose Mosquera
Honored Contributor

‎05-31-2004 01:03 AM

‎05-31-2004 01:03 AM

Re: search inactive users

Hi,

Ok, don't worry about. I suggest you taht keep your /var/adm/wtmp file into a sane size. Your size is out of recomended ranges and in any moment could being corrupted.
SAM/System Log Files/ Menu provide you options to keep a sane size of some important log files of your system.

A trick to keep a trial of last user access if put in your /etc/prifile file the following sentence:
touch $HOME/.last_login

With this the .last_login file placed into the each $HOME user directory will be updated with last login timestamp.

Rgds
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎05-31-2004 06:10 AM

‎05-31-2004 06:10 AM

Re: search inactive users

Try this:

for i in `cat /etc/passwd |awk -F: '{print $1}'`
do
finger $i
done

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-31-2004 07:42 AM

‎05-31-2004 07:42 AM

Re: search inactive users

VERY IMPORTANT: wtmp has *NO* year information logged. You must truncate the file every few months. If not, last will report ghost logins and logins without logouts. This is a limitation of the wtmp file format and cannot be changed.


Bill Hassell, sysadmin
0 Kudos
Reply
Emir Faisal
Frequent Advisor

‎05-31-2004 01:09 PM

‎05-31-2004 01:09 PM

Re: search inactive users

Mr. Bill Hassel:
wtmp did have year information in it. you can try by invoking:

cat /var/adm/wtmp | /usr/sbin/acct/fwtmp

But I don't know how to display it.

---
Mr. Jose Maria Mosquera:
I can't trim my wtmp, because there no recommended size for wtmp entry.

/var/adm/wtmp NA 34958520 NA

should I manually trim it to a sane size ?

rgds,
EF
Everything is possible, if you don't know what you're talking about.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-31-2004 03:10 PM

‎05-31-2004 03:10 PM

Re: search inactive users

You are correct. The wtmp format is described in the wtmp man page. The date is stored in wtmp in binary. It is last (and lastb) that do not display the year.

The wtmp (and utmp and btmp) file is binary so it cannot be trimmed, at least in a simple manner. Your example:

cat /var/adm/wtmp | /usr/sbin/acct/fwtmp

is the method to convert from the binary format into ASCII. The resultant ASCII file can then be manually edited. NOTE: There may be logins that span the date you choose so a simple truncation of the ASCII file may create ghost sessions in last. There isn't an easily scriptable method to truncate wtmp or btmp. The best choice is to copy wtmp into an archive directory, then zero the current wtmp file (at reboot).

To accomplish the task to see who has not logged in for during the last 3 months, use fwtmp to format wtmp and search the the ASCII formatted output. wtmp and btmp grow without bounds so they can be very large, a good reason to zero this file every 3-6 months.


Bill Hassell, sysadmin
0 Kudos
Reply
Joseph Loo
Honored Contributor

‎05-31-2004 04:57 PM

‎05-31-2004 04:57 PM

Re: search inactive users

hi,

use this:

# /usr/bin/last -R > /tmp/whologin
to create a file "whologin" of users who successfully login
# /usr/bin/lastb -R > /tmp/badlogin
to create a file "badlogin" of users who failed to login

the file created are in descending order (earliest date first)

as u have realise, there is no year to it, but u could
# /usr/bin/last -R -1000 > /tmp/last1000line_whologin
to create a file "last1000line_whologin" of the last 1000 successful login

hope the above helps.

regards.

what you do not see does not mean you should not believe
0 Kudos
Reply
Mohanasundaram_1
Honored Contributor

‎05-31-2004 11:31 PM

‎05-31-2004 11:31 PM

Re: search inactive users

Hi EMir,

try this script, I checked this script and it gives me the year if it is not the current year.

#!/usr/bin/ksh
# Script to find out dormant users

while read LINE;do

# extract usernames and home directories from /etc/passwd

USER=$(echo $LINE|awk -F: '{print $1}')
HOMEDIR=$(echo $LINE|awk -F: '{print $6}')

# extract login info from finger using grep

LAST_LOGIN=$(finger ${USER}|grep -E 'Last login|Never logged')

echo "$USER\t$HOMEDIR\t$LAST_LOGIN"
done < /etc/passwd
exit

Cheers,
Mohan.
Attitude, Not aptitude, determines your altitude
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.