wtmp/last weird behavior
David Rysdam
david at rysdam.org
Fri Aug 15 13:20:31 EDT 2014
First, a disclaimer: Everything I know about wtmp/last I've learned in
the last 10 minutes.
That said, it doesn't seem to be working as advertised. What am I not
understanding?
I have a computer that the children use. They each have their own login
which they use faithfully (passwords are secret) and, in the summer,
many times per day. So if I look at the output of 'last', I would expect
to see them all there.
If I point 'last' at /var/log/wtmp (the default), one child is
missing. If I point 'last' at /var/log/wtmp.1 (rotated on the first of
the month), I see them all. Fact learned: No user is misconfigured to
not be logged somehow (needless to say I'm the only admin and I did
nothing.)
Theory: Maybe 'last' is just broken but the files are still OK.
If I do a 'strings /var/log/wtmp' and grep for each child individually,
*two* are missing. A third child has entries, but far fewer than I know
he has used the computer. (Seriously, we have a timer system to make
sure everyone gets reasonable turns and it is a HUGE DEAL around our
house--there's absolutely no way he only logged in 5 or 6 times this
month.)
It could be that /var/log/wtmp stores UIDs instead of names sometimes,
which would explain the 'strings ...| grep' discrepancy. But that
half-assed theory doesn't explain a lot of the facts and doesn't really
make much sense anyway.
What's going on here?
More information about the gnhlug-discuss
mailing list