Re: last patch, idea
On 2011/04/10 00:02, Peter J. Philipp wrote:
> Hi,
>
> while going through my wtmp with last(1) I noticed there could be a better
> way than always gunzip'ing wtmp files and then using last -f. I've made
> a patch for your consideration that does the following:
>
> a) it checks if the file is a gzipped file by looking at the wtmp's file magic
> b) it writes the gzipped file to a /tmp location uncompressed so that the
>normal way of operation can be done on the tmp file.
Having tried to do things like gzcat /var/log/wtmp.0.gz | last -f /dev/stdin
before, I'd certainly find it useful and this is less intrusive than modifying
last(8) so it could work with standard input.
> I didn't want to start the discussion empty handed whether this is a good
> patch or not, so I made the patch but it needs cleanup and probably a manpage
> change. Let me know if this could go in, before I do any more work.
Here are a couple of minor comments,
> + if (isgzipped()) {
> + tmpdir = create_tmp(file);
> + gzcopy();
> + file = tmpdir;
> + }
> +
> +
extra whitespace
> +/*
> + * create a temporary directory where a temporary file can be put in
> + */
maybe:
* create a temporary directory to hold decompressed files
> + snprintf(d0, sizeof(d0), "/tmp/last.");
more X's wanted here ("At least 6 Xs should be used, though 10
is much better.")
Yes it does want a manpage change.
Re: last patch, idea
> > while going through my wtmp with last(1) I noticed there could be a better > > way than always gunzip'ing wtmp files and then using last -f. I've made > > a patch for your consideration that does the following: > > b) it writes the gzipped file to a /tmp location uncompressed so that the > >normal way of operation can be done on the tmp file. > > Having tried to do things like gzcat /var/log/wtmp.0.gz | last -f /dev/stdin > before, I'd certainly find it useful and this is less intrusive than modifying > last(8) so it could work with standard input. Unless you run an extermely large shop like Beck does, or have extremely tiny disks, why not just remove all the Z flags from newsyslog.conf? This has the side effect of not having to gunzip /var/log/daemon* & friends. I guess we inherited this log gzipping from 4BSD, but in those days a 300MB disk cost a month's salary. Plus another week's salary or so for the trucking charges.
Re: last patch, idea
On 2011/04/10 10:08, Ian Darwin wrote: > > > while going through my wtmp with last(1) I noticed there could be a better > > > way than always gunzip'ing wtmp files and then using last -f. I've made > > > a patch for your consideration that does the following: > > > b) it writes the gzipped file to a /tmp location uncompressed so that the > > >normal way of operation can be done on the tmp file. > > > > Having tried to do things like gzcat /var/log/wtmp.0.gz | last -f /dev/stdin > > before, I'd certainly find it useful and this is less intrusive than > > modifying > > last(8) so it could work with standard input. > > Unless you run an extermely large shop like Beck does, or have extremely > tiny disks, why not just remove all the Z flags from newsyslog.conf? Ah yes, this probably makes a lot of sense for wtmp... > This has the side effect of not having to gunzip /var/log/daemon* & friends. > > I guess we inherited this log gzipping from 4BSD, but in those days > a 300MB disk cost a month's salary. Plus another week's salary or so > for the trucking charges. Not sure about those; they can be very helpful when syslog's "last message repeated NN times" fails (e.g. two separate log entries which are repeated very often). zgrep and zless make it pretty easy to work with compressed normal logfiles. And though I haven't tested, I suspect that with CPU speeds these days, the reduction in disk i/o may even save time when you're searching through old logs.
Re: last patch, idea
On Sun, Apr 10, 2011 at 10:08:24AM -0400, Ian Darwin wrote: > > Having tried to do things like gzcat /var/log/wtmp.0.gz | last -f /dev/stdin > > before, I'd certainly find it useful and this is less intrusive than > > modifying > > last(8) so it could work with standard input. > > Unless you run an extermely large shop like Beck does, or have extremely > tiny disks, why not just remove all the Z flags from newsyslog.conf? > This has the side effect of not having to gunzip /var/log/daemon* & friends. This is a good idea. I guess I don't need my patch then. I won't clean it up then either. > I guess we inherited this log gzipping from 4BSD, but in those days > a 300MB disk cost a month's salary. Plus another week's salary or so > for the trucking charges. funny. :-) -peter
