Where does ‘last’ store user hostnames

last

I was looking into: 'last -d' command.

-d: For non-local logins, Linux stores not only the host name of the remote host but its IP number as well. This option translates the IP number back into a hostname.

At first, I was looking at similar questions, This one in particular:
'last -d' is REALLY slow

Before I updated my hosts file and added: 0.0.0.0 localhost I received less hostnames and more IP addresses. So that means Linux stores the hostnames somewhere in the OS, If that's the case, is there any way of reaching the hostnames without the command last -d?

Best Answer

According to man last, my Arch Linux system stores login info in /var/log/wtmp. It looks to be in a binary format - that is, the usual text tools will only show you parts of it.

This command: xxd /var/log/wtmp | more shows me both text-format dotted-quad IP addresses, and fully-qualified DNS names.

I wrote the following little program to show me what was in /var/log/utmp. It appears that not every entry has a hostname/IP address, and that the binary format only has a small, fixed amount of room for the hostname.

#include <stdio.h>
#include <utmp.h>

int
main(int ac, char **av)
{
        struct utmp *utmpp;
        utmpname("/var/log/wtmp");
        while (NULL != (utmpp = getutent())) {
                printf("%s\n", utmpp->ut_host);
        }
        endutent();
        return 0;
}
Related Question