wtmp/last weird behavior

mark prgrmr at gmail.com
Fri Aug 15 21:06:09 EDT 2014 

What version of Linux is this?   Have you looked through /var/log/messages
for the corresponding login entries? Try aureport to see what auditd picked
up for login behavior.

mark


On Fri, Aug 15, 2014 at 1:20 PM, David Rysdam <david at rysdam.org> wrote:

> First, a disclaimer: Everything I know about wtmp/last I've learned in
> the last 10 minutes.
>
> That said, it doesn't seem to be working as advertised. What am I not
> understanding?
>
> I have a computer that the children use. They each have their own login
> which they use faithfully (passwords are secret) and, in the summer,
> many times per day. So if I look at the output of 'last', I would expect
> to see them all there.
>
> If I point 'last' at /var/log/wtmp (the default), one child is
> missing. If I point 'last' at /var/log/wtmp.1 (rotated on the first of
> the month), I see them all. Fact learned: No user is misconfigured to
> not be logged somehow (needless to say I'm the only admin and I did
> nothing.)
>
> Theory: Maybe 'last' is just broken but the files are still OK.
>
> If I do a 'strings /var/log/wtmp' and grep for each child individually,
> *two* are missing. A third child has entries, but far fewer than I know
> he has used the computer. (Seriously, we have a timer system to make
> sure everyone gets reasonable turns and it is a HUGE DEAL around our
> house--there's absolutely no way he only logged in 5 or 6 times this
> month.)
>
> It could be that /var/log/wtmp stores UIDs instead of names sometimes,
> which would explain the 'strings ...| grep' discrepancy. But that
> half-assed theory doesn't explain a lot of the facts and doesn't really
> make much sense anyway.
>
> What's going on here?
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20140815/884d9c07/attachment.html

More information about the gnhlug-discuss mailing list