reboot and shutdown are pseudo-users for system reboot and shutdown, respectively. That's the mechanism for logging that information, with kernel versions to same place, without creating any special formats for the wtmp binary file.
Quote from man wtmp:
The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null username indicates a logout on the associated terminal. Furthermore, the terminal name ~ with username shutdown or reboot indicates a system shutdown or reboot and the pair of terminal names | / } logs the old/new system time when date(1) changes it.
wtmp binary file do not save other than timestamp for events. For example, last calculates additional things, such as login times.
reboot system boot 2.6.32-28-generi Mon Feb 21 17:02 - 18:09 (01:07)
...
user pts/0 :0.0 Sat Feb 12 18:52 - 18:52 (00:00)
user tty7 :0 Sat Feb 12 18:52 - 20:53 (02:01)
reboot system boot 2.6.32-28-generi Sat Feb 12 08:31 - 18:09 (9+09:37)
The last column (in parentheses) is the length of event. For the user reboot, it's uptime.
After the latest reboot, time is current uptime. For earlier reboots, time is uptime after that reboot (so in the last line of my example it's uptime until the first line; there were no reboots in between). Number(s) before + means number of days. In the last line, it's 9 days, 9 hours and 37 minutes, and in the first line current uptime is 1 hour and 7 minutes.
Note, however, that this time is not always accurate — for example, after a system crash and unusual restart sequence. last calculates it as the time between it and next reboot/shutdown.
According to man last, my Arch Linux system stores login info in /var/log/wtmp. It looks to be in a binary format - that is, the usual text tools will only show you parts of it.
This command: xxd /var/log/wtmp | more shows me both text-format dotted-quad IP addresses, and fully-qualified DNS names.
I wrote the following little program to show me what was in /var/log/utmp. It appears that not every entry has a hostname/IP address, and that the binary format only has a small, fixed amount of room for the hostname.
#include <stdio.h>
#include <utmp.h>
int
main(int ac, char **av)
{
struct utmp *utmpp;
utmpname("/var/log/wtmp");
while (NULL != (utmpp = getutent())) {
printf("%s\n", utmpp->ut_host);
}
endutent();
return 0;
}
Best Answer
lastreads from a log file, usually/var/log/wtmpand prints the entries of successful login attempts made by the users in the past. The output is such that the last logged in users entry appears on top. In your case perhaps it went out of notice because of this.In order to check when was the file
/var/log/wtmpwas written last, you can usestatcommand:In order to print the output in reverse, you can pipe output of last to
GNU tac(opposite of cat) as follows: