Very Computer

I know that the "who" command uses the utmpx file, and the "last"
command uses the wtmpx file, but shouldn't the wtmpx file contain the
same information as the utmpx file, only a lot more of it?  Can anyone
think of an explanation to why the "last" output isn't showing the
entire session a user is logged in for?  Also, if there is data
missing, is there another way I can get the login and logout history
of all the users?

I would greatly appreciate any help you can give. :)

Thanks,
Julie

Quote:> Hello,
> I am trying to use the information from the "last" command to examine
> how long users are logged into a certain machine for a research
> project.  I wrote a perl script to parse the information into a comma
> delimited file, opened it in a spreadsheet, and sorted the entries by
> how long the users were logged in.  To my surprise, out of about 3200
> entries, only 17 of them showed up as being logged in for more than an
> hour!  I know this information is inaccurate, because these users work
> on projects for hours at a time.  Another mystery is that when I run
> "who", it shows about 50 users being logged in, whereas the "last"
> command only shows about 10.  Running last using utmpx as the file
> instead of the default wtmpx, it shows users being logged in for a lot
> longer. (???)

> I know that the "who" command uses the utmpx file, and the "last"
> command uses the wtmpx file, but shouldn't the wtmpx file contain the
> same information as the utmpx file, only a lot more of it?  Can anyone
> think of an explanation to why the "last" output isn't showing the
> entire session a user is logged in for?  Also, if there is data
> missing, is there another way I can get the login and logout history
> of all the users?

> I would greatly appreciate any help you can give. :)

If the data's missing, it's missing*.  It might be sort of duplicated in
auditing records if you had auditing enabled, but in most configurations
auditing generates far more data than just logins/logouts, so it would be
even more difficult to retain a large amount of it.

Sounds like you need to talk to the administrator(s) for the system, or
if you're them, track down all the stuff you inherited that you didn't
know about.

* Some folks copy off /var/adm/wtmpx and archive it before truncating it;
that's a matter of local procedure and of talking to the local folks to
find out if they're doing that and where they're keeping it if they are.

--

'last' gets confused when it tries to report "dtremote" logins (from
X servers running elsewhere) and "dtlocal" logins (from X servers running
on this machine).  It thinks only one person at a time can have a
dtremote or dtlocal login, so when it sees successive dt* entries in
wtmpx it assumes that the earlier login ended when the newer one
started.  This bug was fixed for the dtremote case under bug ID 4125016
and for the dtlocal case under bug ID 4685817.  If you're running
Solaris 9 you should already have the fix for the dtremote case.  The
fix for the dtlocal case hasn't made it into a public release yet.

Quote:> Also, if there is data
> missing, is there another way I can get the login and logout history
> of all the users?

You could also escalate the problem through your Sun support people
and ask for a patch that delivers the fixed 'last' executable, but that
takes time.

OttoM.
--

Disclaimer:  These are my opinions.  I do not speak for my employer.