On 2011/04/10 10:08, Ian Darwin wrote: > > > while going through my wtmp with last(1) I noticed there could be a better > > > way than always gunzip'ing wtmp files and then using last -f. I've made > > > a patch for your consideration that does the following: > > > b) it writes the gzipped file to a /tmp location uncompressed so that the > > > normal way of operation can be done on the tmp file. > > > > Having tried to do things like gzcat /var/log/wtmp.0.gz | last -f /dev/stdin > > before, I'd certainly find it useful and this is less intrusive than > > modifying > > last(8) so it could work with standard input. > > Unless you run an extermely large shop like Beck does, or have extremely > tiny disks, why not just remove all the Z flags from newsyslog.conf?
Ah yes, this probably makes a lot of sense for wtmp... > This has the side effect of not having to gunzip /var/log/daemon* & friends. > > I guess we inherited this log gzipping from 4BSD, but in those days > a 300MB disk cost a month's salary. Plus another week's salary or so > for the trucking charges. Not sure about those; they can be very helpful when syslog's "last message repeated NN times" fails (e.g. two separate log entries which are repeated very often). zgrep and zless make it pretty easy to work with compressed normal logfiles. And though I haven't tested, I suspect that with CPU speeds these days, the reduction in disk i/o may even save time when you're searching through old logs.
