I'm trying to determine who was recently logged into a specific machine in my office. So I used last, but wtmp begins yesterday (Monday) around 14:30. I was hoping to find info stretching back to Sunday, at least. Is there anyway to get that info without plodding through the authorization log file?
Asked
Active
Viewed 2.7k times
24
thepocketwade
- 1,545
- 5
- 17
- 27
2 Answers
34
Presumably your wtmp file has been rotated, so try last -f /var/log/wtmp.1 or last -f /var/log/wtmp.0 to read the previous files. If those don't work, ls /var/log/wtmp* and see if they're called something else. If they're compressed (.gz extension), decompress 'em.
If they're not there, find whoever setup the bollocks rotation scheme and give them a solid foot-punch to the pantaloons. There's no reason not to keep at least a few weeks' of wtmp logs.
womble
- 96,255
- 29
- 175
- 230
-
1I really should have seen those rotated files in /var/log, I don't know how I missed them. – thepocketwade Nov 03 '09 at 13:35
3
If the wtmp files are not available, you can also look directly at /var/log/secure or /var/log/messages to see any login message in there.
sucuri
- 2,867
- 1
- 23
- 22
-
I thought about that, but that's more work than I wanted to do, really. – thepocketwade Nov 06 '09 at 21:40