Change the output format of the “last” command to display the year

localesolaris

I'm trying to find a way to report on the most recent login for all users on my Solaris 10 server. I'm starting with the output of the last command. Using that command, I get output like this:

bd9439    pts/1        vpn-xxx-xx-xxx-x Fri Oct 25 10:46   still logged in
vf7854    pts/1        vpn-xxx-xx-xxx-x Fri Oct 25 10:23 - 10:38  (00:15)

According to the man page, the date and time formats are controlled by locale. I've very rarely used locale settings. Is there something I can use that will change the display to include the "year" portion of the date? I'm hoping to get an output line similar to this:

bd9439    pts/1        vpn-xxx-xx-xxx-x Fri Oct 25 2013 10:46   still logged in
vf7854    pts/1        vpn-xxx-xx-xxx-x Fri Oct 25 2013 10:23 - 10:38  (00:15)

It's not clear to me if the man page was referring to the output of the last command itself or how the data is actually stored in /var/adm/wtmpx.

If there is another way to get this "last login" attribute, I'd be happy to learn it.

Best Answer

In which I half-provide context, half rant

You're running into an example of the main reason I don't like managing Solaris systems: Nothing is ever just easy.

I don't know if the locale's really going to do anything except change the order of certain portions of the timestamp around. I'm interested if anyone knows of a way to coax Solaris's last into giving the year, but I'm not going to hold my breath. Sun's software development mantra seems to have been "It Technically Works."

Sun seems to have pretty much developed something right up to the point absolutely required of them, and then pretty much stopped there. So you end up with generally accepted solutions being like these and you just keep a listed collection of workarounds for common problems.

The only way I've ever found of doing this is to use /usr/lib/acct/fwtmp to dump the entire contents of /var/adm/wtmpx to a pipe to some other program that I use for manipulating the text output (grep, tac, sed, etc).

Bonus: Since seeking the end of the file and just moving back by the fixed wtmpx record length would be asking too much, fwtmp can only print out the contents of wtmpx as they appear in the file. So you have to use some other means (probably tac) of reversing the lines, unless you're actually interested in the oldest information (which is the least likely use case, but I digress).

Depending how long your system has been in operation wtmpx might be kind of large, so you may want to go get a cup of coffee, maybe go check to see if your tires are underinflated, and maybe go read a book or two while you're at it.

The Actual Answer to your question:

This is a command that emulates last in way that is usable to most people interested in looking at login records:

# cat /var/adm/wtmpx | /usr/lib/acct/fwtmp | tac | head

You'll notice I have to pipe wtmpx in since they don't give you a means of just giving the file to fwtmp. That's because feeding it in via stdin Technically Works™ in the majority of use cases and they wouldn't have had to write a few extra lines of code. So they'd rather just make Admins do that.

This is example output of the above on on of the systems I look after:

[root@atum root]# cat /var/adm/wtmpx | /usr/lib/acct/fwtmp | tac | head
jadavis6                         ts/1 pts/1                                19410  7 0000 0000 1382723864 157168 0 19 ditirlns01.xxx.edu Fri Oct 25 13:57:44 2013
jadavis6                              sshd                                 19404  7 0000 0000 1382723864 133973 0 19 ditirlns01.xxx.edu Fri Oct 25 13:57:44 2013
oracle                                sshd                                  6640  8 0000 0000 1382713401 157107 0 0  Fri Oct 25 11:03:21 2013
oracle                           ts/1 pts/1                                 6647  8 0000 0000 1382713401 150489 0 0  Fri Oct 25 11:03:21 2013
oracle                           ts/1 pts/1                                 6647  7 0000 0000 1382712445 24488 0 23 a0003040148735.xxx.edu Fri Oct 25 10:47:25 2013
oracle                                sshd                                  6640  7 0000 0000 1382712442 304729 0 23 a0003040148735.xxx.edu Fri Oct 25 10:47:22 2013
jadavis6                              sshd                                 23537  8 0000 0000 1382560970 410725 0 0  Wed Oct 23 16:42:50 2013
jadavis6                         ts/1 pts/1                                23544  8 0000 0000 1382560970 404795 0 0  Wed Oct 23 16:42:50 2013
jadavis6                         ts/1 pts/1                                23544  7 0000 0000 1382552999 619524 0 19 ditirlns01.xxx.edu Wed Oct 23 14:29:59 2013
jadavis6                              sshd                                 23537  7 0000 0000 1382552999 602215 0 19 ditirlns01.xxx.edu Wed Oct 23 14:29:59 2013
[root@atum root]#

EDIT:

I know I'm whining about something small up there, but after a while I just get tired of every little thing (such as simply asking "what's the year?") turning into an hour long googlefest or something that's more or less just tribal knowledge (such as the existence of fwtmp).

Best Answer

Related Solutions

Solaris + display file time stamp [year][month][day]

Computing CPU I/O wait time on Solaris

Related Question