I'm writing a Solaris 10 ksh script to retrieve details of logins and logouts using specific user names. The details I want are quite basic - the username, the computer logged in from, and the date and time the user logged in and logged off.
I initially thought that the 'last' command would be perfect, however its output doesn't include a year in its date information, which I need.
After further searching on this site and others I came across the fwtmp command, which I can use as follows to read the information I need:
This works fine and returns a plain text file that includes full year information in the date, but the problem is that I don't understand all of the fields contained in the output.
As far as I can tell, if field 5 contains a 7, the entry shows a login, and if field 5 contains an 8, the entry shows a logout. Assuming this is correct, I've written the following nawk commands to extract the information I need:
I appear to need different commands for the logins and logouts, as the record structure seems to be a bit different for each.
I'm then sorting the file using the following command:
This seems to sort each login record chronologically, with its corresponding logout on the following line.
What I want to know is, are my assumptions about the output format of fwtmp correct? Also, will my sort command group all the results as I've outlined?
I've tried to find a reference that explains in plain english what the format of the fwtmp output is, but have not been successful. The best I've found is someone advising to run the command 'man 4 utmpx', which does seem related, but this refers to a c header file (utmpx.h), and my c is a bit rusty at this stage.
If someone could respond to my concerns, and point me in the direction of an explanation of the ascii output of the fwtmp command I'd be grateful.
Apologies if this has been answered before, but I don't think it has. Thanks in advance for any assistance anyone can provide.
Thanks for the response. Here are a couple of lines from the file. These are unedited, aside from me replacing the actual log in name they contain:
I've also spaced them out a bit, numbered the fields and labeled what I think the fields mean here:
Space delimited field $5 in both lines identifies what I think is the action recorded by the line. I think '7' corresponds to a log in, and '8' corresponds to a log out.
$12 in the log in line contains what seems to be the ip address of the computer used to log in to Solaris from. This field is missing on the log out line, so it pushes out the rest of the fields - field $13 in the log in line corresponds to field $12 in the log out line, and so on for the remainder of the fields. This is why I need separate nawk commands for the two types of records.
Am I correct in what I've stated above? Also can you advise me what the fields I've labeled as '?' refer to?
Ah. Unfortunately patching it isn't an option for me as I'm not an admin on that server. I don't mind having to use two separate awk commands to retrieve the fields from the file in its current format though. Aside from the fields not lining up correctly, is there any fault with the actual data this version of fwtmp outputs?
Can you please advise me if I'm correct in my interpretation of the field contents?
Last edited by confusedAdmin; 03-01-2012 at 11:50 AM..
Sorry, I don't have access to the utmpx.h file on your system. I certainly agree with your interpretation of the essential fields (including the record type field).
Anybody got the same Solaris 10 release handy who can answer the question in full?
I cannot comment properly on your circumvention because the bug depends on whether the computer identity is available or not. Therefore it may not be consistent in every record.
I'd be tempted to detect whether $12 contains an invalid day and move an "invalid" field to the end of the record (which would then conform to the "normal" layour of a fwtmp login/logout record where the client IP address or name is the last field and has variable length).
Were it not for this awful bug I would normally split the multi-year wtmpx file into manageable chunks (years or even year-months) and use "fwtmp" in reverse to create individual archive wtmpx files with names which include the year and whereby each of which can be processed in "last".
Once you have done this once you automate the archive switchover to suit your local login/logout rate and stop the multi-year wtmpx situation ever occurring again.
Last edited by methyl; 03-01-2012 at 07:46 PM..
Reason: try to remove ambiguity
Thanks for the reply methyl, you've been very helpful so far. Regarding this comment:
Quote:
Originally Posted by methyl
I cannot comment properly on your circumvention because the bug depends on whether the computer identity is available or not. Therefore it may not be consistent in every record.
I'd be tempted to detect whether $12 contains an invalid day and move an "invalid" field to the end of the record (which would then conform to the "normal" layour of a fwtmp login/logout record where the client IP address or name is the last field and has variable length).
My reading of it is that if Solaris can't determine the ip address of the computer a user is logging in from, it doesn't include a hostname field in the login record at all, which in turn means that the login record's field numbers after the hostname are all decremented by one, which would cause my nawk command for login records to fail. Am I correct in my interpretation?
I did think I saw some inconsistent results in my output, which was one of the reasons why I started this thread in the first place. I'll have to review my results so far.
Edit: I was thinking that an easier way for me to detect log in lines that don't contain a hostname would be to simply count the number of space delimited fields nawk detects. Would that work?
Edit 2: After analysing output of various nawk commands on temp_ascii_login_file.txt I've determined that there are inconsistent formats for both Log Out and Log In lines. Please see the following:
I'll have to review some more and will post again.
---------- Post updated at 03:30 PM ---------- Previous update was at 11:14 AM ----------
Further update:
I've confirmed that both the Log In and Log Out records have the same format. The difference is that the most Log In lines contain the host field, but most Log Out lines omit it.
Examples:
Here they are nicely lined up:
For each pair of log in and log out records, the format does indeed appear to be the same.
I've found a way around the variable field length in my nawk command though. Regardless of the number of fields in each line, all of the date fields are at the end, so I can count the field numbers from the end backwards. This will give a consistent result for both record formats, and can also be used for both the login and logout records.
Last edited by confusedAdmin; 03-02-2012 at 10:22 AM..
Reason: Discovered inconsistentcies in both Log Out and Log In records.
This User Gave Thanks to confusedAdmin For This Post:
Hello,
Been looking through Google, and I don't see a direct answer to this:
# last
...
abcd pts/1 srever02 Mon Feb 23 07:56 - 07:56 (00:00)
abcd sshd server02 Mon Feb 23 07:56 - 07:56 (00:00)
klmn sshd ... (2 Replies)
Hi,
I found this in a script and I would like to know how this works
Code is here:
# var1=PART1_PART2
# var2=${var1##*_}
# echo $var2
PART2
I'm wondering how ##* makes the Shell to understand to pick up the last value from the given. (2 Replies)
I ran the following command.
cat abc.c > abc.c
I got message the following message from command cat:
cat: abc.c : input file is same as the output file
How the command came to know of the destination file name as the command is sending output to standard file. (3 Replies)
After running nm command on any object file from out put can we get to know that wheather a symbol is a call to a function or definition of function ?
I am searching a class and function definitions inside many .so files.
I have 3 files which contain the symbol but I don't know wheather they... (2 Replies)
ok, so I have a script im running on a linux box that uses "egrep" a lot. now, when i run this script, i check the TOP to see how much system resource it is using.
the "top" command gives the following output:
last pid: 25384; load avg: 1.06, 1.04, 0.76; up 351+06:30:24 ... (0 Replies)
Its very critical and 'm in need to schedule this on my crontab so that the output can be monitored by a tool
I have written the command below to redirect the error which has the output redirected to the file gincle_lol.log.
echo "---" >>/gingle/gincle_lol.log
date... (1 Reply)
Its very critical and 'm in need to schedule this on my crontab so that the output can be monitored by a tool
I have written the command below to redirect the error which has the output redirected to the file gincle_lol.log.
Code:
echo "---" >>/gingle/gincle_lol.log
date... (0 Replies)
Could you please explain me whats happening in the below code, appreciate your help, Thank you.
/product/apps/informatica/v7/pc/ExtProc/NewDAC/dacRecBuilder.sh
/product/apps/informatica/v7/pc/TgtFiles/NEW_DAC/DAC_Pos_TradeInv_Records.out ... (5 Replies)
Hi,
I am having some problems understanding the info from the following output:
Disk /dev/sda: 17849 cylinders, 255 heads, 63 sectors/track
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0
Device Boot Start End #cyls #blocks Id System
/dev/sda1 *... (5 Replies)
Hi -
Trying to understand a few things from an ifconfig -a output - can't seem to find info anywhere on the net.
Specifically - looking to understand the following:
Flags=8863
Smart
Running (is this the same as UP)
Simplex
inet6
supported media: autoselect - does that imply the... (1 Reply)