Currently Being ModeratedJan 18, 2013 12:04 PM (in response to Terry Fundak)
When I use the last command on this server which should have a long history, I get this....
macmini:~ admin$ last
admin ttys000 xyz.com Fri Jan 18 10:00 still logged in
wtmp begins Fri Jan 18 10:00
I'm concerned because it appears my login history - of all events is gone except the current session.
I need to go to backups to determine what happen and when, but what file do I need and is it a "bhah.asl" kind of file. If so, how do I read those...
Currently Being ModeratedJan 19, 2013 12:04 AM (in response to Terry Fundak)
The database for this on OS X is (I believe) in /var/audit.
If I run the 'last' command on my system the first entries I see are
user console Sun Aug 12 09:44 - 22:09 (12:25)
reboot ~ Sun Aug 12 09:42
If I execute
sudo ls /var/audit
the first file shown is
With the date portion of the file name obviously matching the first entry in the 'last' command. The database files are binary files.
As to why it is not logging on your machine don't know off the top of my head, you obviously will need to check all your system processes. It is likely a question you would need to ask Apple as I believe their accounting daemons may not be 100% Unix standard.Mac mini, OS X Server
Currently Being ModeratedMar 20, 2013 10:06 AM (in response to FromOZ)
For those who are reading this, this is about a Mt. Lion system with current patches 10.8.3
Thank you for the reply and the pointer to the audit directory.
I am continuing to ponder why last at the terminal is given unexpected behavior. I am now noticing the history in last is only for the "last" - no pun intended - 24 hours or there abouts on one of my systems. In the audit directory there are many more entries
Wed Mar 20 09:47:14 terry@mymac:~ >>last
terry ttys001 Wed Mar 20 09:47 still logged in
terry ttys000 Wed Mar 20 09:47 still logged in
terry console Wed Mar 20 09:41 still logged in
reboot ~ Wed Mar 20 09:39
shutdown ~ Wed Mar 20 09:39
terry ttys001 Wed Mar 20 09:03 - 09:13 (00:09)
terry ttys000 Wed Mar 20 09:03 - 09:13 (00:09)
terry console Wed Mar 20 09:03 - 09:39 (00:35)
reboot ~ Wed Mar 20 09:00
wtmp begins Wed Mar 20 00:56
>>sudo ls -lsa /var/audit/
256 -r--r----- 1 root wheel 130862 Nov 24 14:52 20121124213110.20121124225215 56 -r--r----- 1 root wheel 26733 Nov 24 15:23 20121124225256.20121124232301 40 -r--r----- 1 root wheel 19634 Nov 24 15:43 20121124232348.20121124234351
and then DOZENS and DOZENS more.... and finally those for yesterday are missing and then today.
2016 -r--r----- 1 root wheel 1031355 Mar 18 23:31 20130318150701.20130319063139 840 -r--r----- 1 root wheel 426232 Mar 20 00:56 20130319154442.20130320075621 56 -r--r----- 1 root wheel 26259 Mar 20 09:39 20130320160056.20130320163908 40 -r--r----- 1 root wheel 19050 Mar 20 09:55 20130320163956.not_terminated
Also when I look thru the list of audit file the 15th and the 10th of Mar are missing..... hummmmm...
Any idea what could cause this?
I am suspicion of some sort of hacking but just see any direct evidence of it ....
I have gone an gotten the source code for last at the BSD project but Im' not a c programmer and apple's version is a branch or so it seems to me cause they've got to be different and I'm not sure where to configure last or how to better understand what I'm seeing.
Anyone care to help me understand what could be going on?