How to find the year in last login details

Hi Friends

I have a query. we had a requirement to see the last login details of our users so I ran the command last <username> and the output i get is:

wtmp begins Apr 17 21:48

Now I need to know couple of things:

  1. How can I see the year this log is being read from wtmp file
  2. Is there any way to find the data for the above command before April 17 or how the old log was deleted on April 17.

I know that our AIX system went into Production on June 2006.

Kindly advice.

Regards,
Leo.

If you are sure there should be entries in the wtmp file and if you or anyone else has logged into that server then there should of course be entries in that file. I would guess that you have a corrupted wtmp file. What is the time stamp on the wtmp file?

ls -al /var/adm/wtmp

I don't think by default the wtmp file gets cycled but after it grows to a certain size so see if there are other wtmp files in the same dir.

ls -altr /var/adm/wtmp*

If there are others with some .extension then you can read those with

wtmp -f filename

If it were my server I would do the follow.

If you want to keep the current file copy it first.

cp -p /var/adm/wtmp /var/adm/wtmp.June082011
0> /var/adm/wtmp

The previous command will clean the file of any entries.

Then try logging in again and run the last command, hopefully you will see a new entry logged.

1 Like

The "fwtmp" utility displays the fields from "wtmp" complete with the year.

1 Like

Thanks Methyl & Juredd1...

Methyl thanks for suggesting fwtmp utility it really helped me in my query.

thanks again guys.

regards

leo

If your are interested in only the last login time of users, you could also do:

# lsuser -f -a time_last_login time_last_unsuccessful_login ptr
ptr:
        time_last_login=1307690480
        time_last_unsuccessful_login=1307626391

# perl -e 'print scalar localtime 1307690480'
Fri Jun 10 09:21:20 2011

# perl -e 'print scalar localtime 1307626391'
Thu Jun  9 15:33:11 2011