Retaining "last" log (wtmp) capability

You could just make a simple log yourself:

last >> ~/Library/Logs/WhoseLogged.log

and run it as an executable script.

The output can be read in Console.

I have been beating my head against something VERY similar to this issue (and one that illuminates 'where' your file went) for QUITE a bit and will give you all the information I have figured out.

Yes, utmp is gone. It is no longer created nor used. Someone (Apple, BSD?) removed it from use. They did document it in 'man utmpx'. So that explains that 'we' use /var/run/utmpx now for 'last' and other commands that used to access it from /var/log/wtmp.

Our collective issue is that SOMETHING is deleting that file for SOME REASON and resetting our login access information. It is getting VERY frustrating. I run a 'private' server and many many people access it via shell accounts (well, a few fairly consistently) but that file can get deleted and recreated up to every 4 hours! so I lose everything (and so do you). I am at the point of setting an ACL to keep EVERYONE that is not ME from accessing it... I will keep you apprised.

Peter

Message was edited by: Peter Scordamaglia - Clarified who, what, when...

Small update. Leopard is NOT using wtmp for, well, seemingly for anything. It stays at one block, the accessed file time (and created and modified times) seem to move around but I cannot discern what is changing about it. It contains just a few of 'my' logins, but that info is very stale...

I think I have this successfully narrowed to being `syslogd`'s fault. I am in the process if narrowing it down further (it looks to be the 'fault' specifically of the utmp_ttl timer) but I will need a few DAYS, possibly a few WEEKS to be sure. I will try to keep us all apprised.

Peter

On my machine, after reinstalling on a test volume, running last shows:

wtmp begins Fri Aug 15 01:31

and entries since then. So, I'm a bit confused about your *Leopard no longer writes/retains*
*"wtmp" files* comment. BTW, you'll probably get a more cogent response posting to the Unix forum under OS X Technologies where the Unix and Terminal mavens hang out.

To be clear, what I meant is that while it DOES retain/display this values, however it 'resets/updates' this value many times, and in doing so, the data displayed is also truncated (yes, both at the same time, not so much one causes the other, obviously). It is the arbitrary time to the reset of this data that is what is getting me irked.

I tried to look around and see if it was a service or other daemon that was cleaning up the file too often, but I have found only newsyslog.conf that mentions /var/log/wtmp. However according to `man last` Apple did away with the use of wtmp, and now moved to /var/run/utmpx. But this file is WAAAY too small to contain the login info of HUNDREDS of users (checking wiht od -a utmpx looks like there are 2 or 3 records and they are 'stale').

So, long story short, is the data looks now to be all in asl. Asl.db contains LOTS of information (it is the replacement for txt files for the 'old' syslog) but I cannot control when `last` resets the data displayed in what was wtmp.

The closest thing that I am trying next to see if something is 'in the way' is that POSSIBLY it is some 'hidden' feature of diskspacemonitor. I have one drive that rides the 90% full mark.

Filesystem Size Used Avail Capacity Mounted
/dev/disk6s3 1.36T 1.2T 158.58G 89% /Volumes/*HIDDEN

I have changed diskspacemonitor to alert at 90% and cleanup @ 95% but I might have to take that to something like 92 or 95 and 98 just to be sure and I am uncomfortable with that level of 'fullness' on this drive, and turning to off will probably never be possible (I think I would stop breathing if it was ever found to be off!)

Whew! O.K. so back on track...

So, I cannot tell who has remotely connected to my server unless I am almost constantly running and capturing this data for historical reference. As an example, I have done this (cataloging this data) every 1-4 minutes for the past 24 hours and the wtmp has reset that date now 3 times.

wtmp begins Sun Aug 24 11:29
wtmp begins Mon Aug 25 06:56
wtmp begins Mon Aug 25 21:12

As you can see, this means I only can see the last ~18 hours (or less) of login information. I have submitted this to radar and thought I'd keep the community up to speed (well ,the one person that seem to have noticed it). To be honest, I did not notice this until early this week. I was only checking for things that happened earlier in the day on the server and I must have been under the impression that it reset once or twice in odd places and it never bothered me, as this never came onto my radar as as annoying as it is now.

Peter

P.S. I will troll around in the Unix and Terminal spots shortly, Thanks.

Interesting and detailed report. Maybe it has something to do with your machine being a server. As noted earlier, wtmp hasn't reset since Aug 15 and that's through five shutdowns and reboots. Good luck.

If I may, a 'reset' in the middle of the month? That is *_NOT NORMAL_* or expected behavior for any *nix. `Last` should be reset (normally) once a month with your monthly maintenance. This is how Tiger (10.4) Client and Server worked, and Panther, Jaguar and Cheetah/Puma. They all were maintaining this all 'properly'/as expected.

Anywho, this is the crux of why this is so dang important. If someone (like me) runs a shell account server, all they have to go by as to what has been happening on their server is in logs.

That is not to say that other server 'types' do not also need this, merely to say that with HUNDREDS or THOUSANDS of remote logins per day, any security breach, account compromise or what have you, predicates on this log helping me see 'who, what, when and from where' quickly. Oh, I can pull SOME of this info from other places, but that adds to time that I might not have to solve the problem.

Peter

Maybe my anomaly is a result of reinstalling the COMBO update mid-month. Don't know and since mine's just a single-user machine, doesn't really matter.

If you want to report this to Apple, send bug report or enhancement request to Apple via its Bug Reporter system. To do the latter, join the Apple Developer Connection ( ADC)—it's free and available for all Mac users and gets you a look at some development software. Since you already have an Apple username/ID, use that. Once a member, go to Apple BugReporter and file your bug report/enhancement request. The nice thing with this procedure over submitting feedback is that you get a response and a follow-up number; thus, starting a dialog with engineering.

Why not create a cron job which runs 'last' every hour, and build the logfile yourself? It would take a little bit of scripting to make sure you don't get duplicate lines.

already done. radar://6173071

This is possible (and I am already doing something like it) but what happens if it resets twice an hour? (and this DID happen!) or resets just BEFORE I back it up?

I know, I am being obstinate, and you are trying to help and I do appreciate it, but this issue is OS related, degraded functionality or erratum. Whatever term(s) you would like to use, it is up to Apple to find and fix it.

Peter

P.S. So far there IS some kind of pattern emerging, although I still cannot discern from where it is coming. here is the `last` reset date/times:

Aug 24 11:29
Aug 25 06:56
Aug 25 21:12
Aug 25 22:39
Aug 25 23:38
Aug 26 01:38
Aug 26 04:39
Aug 26 05:39
Aug 26 07:39
Aug 26 14:38
Aug 27 00:38
Aug 27 04:39
Aug 27 05:39
Aug 27 10:38
Aug 27 15:38

so far it looks to be happening around ##:38... system uptime is 7+ days (that is when I rebuilt it)...........

Thanks for the feedback. Good luck.

I'm not saying there isn't a problem, though I expect there are few users for whom it is an issue. What I'm suggesting is a way for you to view the log in a way which is useful to you. If a 60 minute interval leaves gaps in your accumulated log, try a shorter interval. Even at 1 minute intervals, I'm sure it would generate negligible load on the system.

🙂, I was agreeing with you and letting you know that I am getting it once a SECOND (well, average right now is once every 3.77 secs - database insert, unique records only) and yes, the load even on a G5 is sub 10% of both CPU's (average) but the the problem is the system 'does' things in shorter intervals than even that. It is conceivable to me that a reset or some other issue could lose something between even this time, that's all I was on about.

I think we are all (getting) on the same page about this and this is good.

Peter

Have you looked in /etc/newsyslog.conf?

newsyslog.conf specifies when and how often logfiles get rotated.