the 'last' command

the 'last' command

Post by Ron Jobman » Fri, 04 Oct 1996 04:00:00



What I'm trying to do is find out who hasn't been using their accounts
for a given period of time.  I've disabled what appeared to be accounts
that weren't used [according to 'last'] within the last 6 months.  Then
I got a bunch of these pop mail users coming to me "I can't access my
mail!".  According to 'last', they hadn't been on the system.  Is there
some other command I can use or some other way to tell who has really
been using the server?

Thanks.

 
 
 

the 'last' command

Post by Michael Coog » Sat, 05 Oct 1996 04:00:00


When people use a POP server, they have to modify their mail spool...  <duh>

Since email is one of the most common uses of an Internet server, even
users who primarily use shell accounts will have modified thier mail spool.

Thus, something like:

        find /usr/spool/mail/ -mtime 360 -print > ~/lostusers.txt

should solve your problem.  The path might change depending upon your
setup (it is often /var/spool/mail), and you may want to check in to
using -ctime or -atime rather than -mtime ( I am not sure which would
work best for this application...).  Try "man find".  

Note, if this is a company or university that commonly uses huge mailing
lists, this may not work out right, but you probably won't nuke
legitimate users, just fail to nuke some (trust me, false negative is far
more preferable than false positive in this situation...).

Anyway, you get the idea  ;).

Hope this helps,

Mike



Quote:>What I'm trying to do is find out who hasn't been using their accounts
>for a given period of time.  I've disabled what appeared to be accounts
>that weren't used [according to 'last'] within the last 6 months.  Then
>I got a bunch of these pop mail users coming to me "I can't access my
>mail!".  According to 'last', they hadn't been on the system.  Is there
>some other command I can use or some other way to tell who has really
>been using the server?

>Thanks.


 
 
 

1. 'last' command doesn't show complete login times

Hello,
I am trying to use the information from the "last" command to examine
how long users are logged into a certain machine for a research
project.  I wrote a perl script to parse the information into a comma
delimited file, opened it in a spreadsheet, and sorted the entries by
how long the users were logged in.  To my surprise, out of about 3200
entries, only 17 of them showed up as being logged in for more than an
hour!  I know this information is inaccurate, because these users work
on projects for hours at a time.  Another mystery is that when I run
"who", it shows about 50 users being logged in, whereas the "last"
command only shows about 10.  Running last using utmpx as the file
instead of the default wtmpx, it shows users being logged in for a lot
longer. (???)

I know that the "who" command uses the utmpx file, and the "last"
command uses the wtmpx file, but shouldn't the wtmpx file contain the
same information as the utmpx file, only a lot more of it?  Can anyone
think of an explanation to why the "last" output isn't showing the
entire session a user is logged in for?  Also, if there is data
missing, is there another way I can get the login and logout history
of all the users?

I would greatly appreciate any help you can give. :)

Thanks,
Julie

2. can anyone recommend an ethernet card?

3. Sun's 'last' command

4. How to kill processes under UNIX SVR4 ?

5. The 'last' command doesn't record users logout

6. Smail Bug?

7. 'last' command 8 character username limit

8. Networking with win2k

9. Why has my 'last' command suddenly stopped working?

10. 'last' command anomaly

11. ftp logging with 'last' command

12. 'last' command off by one

13. Guarding against the 'last' command