Parse different lastlog[s]

Question

I have the lastlog from 100 machines that I need to parse. Since I have them all centrally located, is there a way to parse these? Or do I need to go back to each machine and type the "lastlog" command and then get the output?

Thank you.

score 1 · Answer 1 · answered Apr 06 '20 at 16:44

A super-hacky solution is simply to backup your machine's /var/log/lastlog, and replace it with the file from a different machine. Run lastlog to view its contents, the replace the one from your machine

mv /var/log/lastlog /var/log/lastlog.real
cp /your/custom/lastlog /var/log/lastlog
lastlog
mv /var/log/lastlog.real /var/log/lastlog

score 1 · Answer 2 · answered Dec 02 '14 at 14:58

The standard lastlog command doesn't have an option to read an alternate lastlog data file but you could just grab the source for this and tweak it. Or use your favourite language to parse it - just standard utmp records.

Be aware that copying lastlog files around can result in large destination files if your users have high uids. By default lastlog files are sparse (so ls -l shows them as large but du -s reflects real size).

score 0 · Answer 3 · answered Jul 15 '22 at 05:18

0

tail -n25 $(find /var/log/lastlog -maxdepth 1 -type f -mtime -1 | grep -v "wtmp" | grep -v "lastlog" ) |  more

Might be helpful

answered Jul 15 '22 at 05:18

Ace

812

Parse different lastlog[s]

3 Answers3