On Thu, 30 May 2024 13:18:17 +0200, Vincent Lefevre wrote: > I agree, this may be useful. Unfortunately, the current status is > that one cannot have both: installing wtmpdb forces the upgrade of > util-linux to 2.40.1-3 (at least), where "last" is no longer installed.
Thanks for the change about version 2.40.1-3 of the util-linux package. This is indeed mentioned in the NEWS.Debian from the 2.40.1-3 util-linux package, and the NEWS.Debian also suggests installing wtmpdb. But the last(1) from wtmpdb can not read /var/log/wtmp: $ last -f /var/log/wtmp wtmpdb_read_all: SQL error: file is not a database And if I understood correctly, wtmpdb require program use PAM to update wtmpdb, thus program not use PAM will still write /var/log/wtmp. For example, tmux write /var/log/wtmp via libutempter0 and I do not see tmux depends on pam. But now one can not read /var/log/wtmp neither from util-linux or wtmpdb. Fortunately, last(1) only links to linux-vdso.so.1, libc.so.6 and ld-linux-x86-64.so.2. One can extract the /usr/bin/last binary from old util-linux .deb which can be downloaded from snapshot.debian.org. > However, I think that it is better to archive human-readable text files > (generated by "last" in the past) rather than the wtmp files. > > I've used the attached script to get both the IP addresses and the > host names with "last" (I don't know whether there's a better way to > get full information). I agree that human-readable text files are better than the wtmp binary format files, if the text files provide all information or at least information one wanted to keep. I find that last(1) may not print all information, and you need some option to let it print something fully; so I personally still prefer to keep those wtmp files. For example, I have noted that the IPv6 address in the output of `last' is truncated long time ago, and find just a couple of months ago that the -a option will put the full address in the last column(I see you use that option in your script). And the output from rotated files(e.g wtmp.1) may have something like "gone - no logout". Provided the wtmp files are just many "records" of raw data of C struct of "utmp"(defined in utmp.h, or see `man 5 utmp'), one record for login, one record for logout, one record for boot, etc, one can do something like: $ cat /var/log/wtmp.1 /var/log/wtmp >> wtmp-combined $ last -f wtmp-combined The output will show when a user logout for those previously "gone - no logout" lines. I just realize this about a month ago. I know there is a utmpdump(1) in the util-linux package, that is still available in 2.40.1-3 version. The command will dump more information than last(1); but it is for every single records, one may need to manually match login with logout, boot with shutdown, etc. Still it seems to me some information, e.g. exit_status, are still missing. For archive season, one may write a program that read the wtmp files and dump all variables of the struct utmp. And something "off topic". I find there is a char __glibc_reserved[20] variable in the struct utmp, which is commented as "Reserved for future use". Just a brainstorm, if this variable is not currently used, maybe it can be used to solve the Y2038 problem for wtmp? Regards, Jun MO
