On Thu, 30 May 2024 13:18:17 +0200, Vincent Lefevre wrote:
> I agree, this may be useful. Unfortunately, the current status is
> that one cannot have both: installing wtmpdb forces the upgrade of
> util-linux to 2.40.1-3 (at least), where "last" is no longer installed.
Thanks for the change about version 2.40.1-3 of the util-linux package.
This is indeed mentioned in the NEWS.Debian from the 2.40.1-3 util-linux
package, and the NEWS.Debian also suggests installing wtmpdb. But
the last(1) from wtmpdb can not read /var/log/wtmp:
$ last -f /var/log/wtmp
wtmpdb_read_all: SQL error: file is not a database
And if I understood correctly, wtmpdb require program use PAM to update
wtmpdb, thus program not use PAM will still write /var/log/wtmp. For
example, tmux write /var/log/wtmp via libutempter0 and I do not see tmux
depends on pam. But now one can not read /var/log/wtmp neither from
util-linux or wtmpdb. Fortunately, last(1) only links to linux-vdso.so.1,
libc.so.6 and ld-linux-x86-64.so.2. One can extract the /usr/bin/last
binary from old util-linux .deb which can be downloaded from
snapshot.debian.org.
> However, I think that it is better to archive human-readable text files
> (generated by "last" in the past) rather than the wtmp files.
>
> I've used the attached script to get both the IP addresses and the
> host names with "last" (I don't know whether there's a better way to
> get full information).
I agree that human-readable text files are better than the wtmp binary
format files, if the text files provide all information or at least
information one wanted to keep. I find that last(1) may not print all
information, and you need some option to let it print something fully;
so I personally still prefer to keep those wtmp files. For example,
I have noted that the IPv6 address in the output of `last' is truncated
long time ago, and find just a couple of months ago that the -a option
will put the full address in the last column(I see you use that option
in your script). And the output from rotated files(e.g wtmp.1) may have
something like "gone - no logout". Provided the wtmp files are just
many "records" of raw data of C struct of "utmp"(defined in utmp.h, or
see `man 5 utmp'), one record for login, one record for logout,
one record for boot, etc, one can do something like:
$ cat /var/log/wtmp.1 /var/log/wtmp >> wtmp-combined
$ last -f wtmp-combined
The output will show when a user logout for those previously
"gone - no logout" lines. I just realize this about a month ago.
I know there is a utmpdump(1) in the util-linux package, that is still
available in 2.40.1-3 version. The command will dump more information
than last(1); but it is for every single records, one may need to
manually match login with logout, boot with shutdown, etc. Still it
seems to me some information, e.g. exit_status, are still missing.
For archive season, one may write a program that read the wtmp files
and dump all variables of the struct utmp.
And something "off topic". I find there is a char __glibc_reserved[20]
variable in the struct utmp, which is commented as "Reserved for
future use". Just a brainstorm, if this variable is not currently used,
maybe it can be used to solve the Y2038 problem for wtmp?
Regards,
Jun MO
