Retaining "last" log (wtmp) capability

Leopard gurus,

As some people have noticed, Leopard no longer writes/retains
"wtmp" files, which means the "last" command has been crippled,
because it does not go back very far.

"last" is incredibly useful for security (to keep an eye on
suspicious logins at suspicious times from suspicious places).

Why has "last" been crippled in this way? Is there an alternative
way to retain and list that same valuable information i.e., username,
origin of the login session, time of login, and time of logout?

Yes, I have already tried:

syslog -k Facility com.apple.system.lastlog
syslog -k Facility com.apple.system.utmpx

and they do not list the information equivalent to
the "last" command. Further, the log file "asl.db"
does not seem to be retaining even the above
not-very-usefully-presented information for a long time,
as promised by "man syslogd".

Thanks for any help,

Raja.

Posted on Jun 27, 2008 10:29 PM

23 replies

Sep 15, 2008 11:20 AM in response to slayer_fan

Yes, I have, and it has no effect 😟

Sep 22, 2008 7:48 AM in response to Peter Scordamaglia

This is all part of the Apple System Log (ASL) facility, which will replace all the log-files with a database. See the man page for syslogd: the flag -utmp_ttl - it is clear that the default retention time for these records is not the stated one year.

Oct 10, 2008 6:29 AM in response to fivenotrump

I just configured:

less /System/Library/LaunchDaemons/com.apple.syslogd.plist

...
<string>/usr/sbin/syslogd</string>
<string>-ttl</string>
<string>2592000</string>
<string>-db_max</string>
<string>134217728</string>
<string>-sweep</string>
<string>900</string>

It might be a combination of the global ttl for all entries and the maximum db size. ('sweep' was just added to reduce the frequency ...)

You have to unload/load the file with launchctl:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

NOTE: I had to reboot, I'm not even sure if it works (yet).

Oct 15, 2008 7:08 PM in response to Patrick Mau

Ahhh, I see what you are doing. I like that idea. I just updated Apple Engineers on this and will keep this post in mind when they come back to me with more information/suggestions.

Please keep me in the loop!

Peter

Oct 16, 2008 4:43 AM in response to Peter Scordamaglia

It works as expected!

I did not reach the size limit yet. Since archiving is disable, I expect the last log to be shifting its start date whenever I reach the limit ...

Regards,
Patrick

PS: Just to point out the numbers ...

<string>-ttl</string>
<string>2592000</string> 
<string>-db_max</string>
<string>134217728</string> 
<string>-sweep</string>
<string>900</string> 

Clarify how I came up with the numbers ...

Message was edited by: Patrick Mau

Oct 30, 2008 5:57 AM in response to Patrick Mau

OK I decided to implement this and as of the 24th this has been running on my system and so far, I have not lost a single record from last!!!

The Minus to this is that System accounting seems to have gotten OVERWHELMED with all the data to parse and as such has now made the daily maintenance scripts fail. It took me about 8 hours to figure out what was the problem and it looks like in 500.daily there is a cleanup of the sa database like this `sa -s > /dev/null`. The base issue seems to be that the parsing of the EXISTING database that is hard on it. I 'manually' ran `sa -is` ( -i; Do not read in the summary files.) and now periodic ran and worked as expected. I will continue to monitor but this looks to be an issue with TOO much retention...

Dec 2, 2008 5:26 AM in response to Peter Scordamaglia

it seemed to work... it was working SOOO well.... We crossed into November and it cleared the database properly, then SOMETHING happened and now I get NO login info _AT ALL_. Every time I check the database says it was just created. Yes, I have sufficient space. 😟 I will keep looking.

BTW Apple responded to the bugtrack submission, I answered them and no update from them as of yet....

Dec 3, 2008 7:13 PM in response to Peter Scordamaglia

I just wanted to give you a quick heads-up that I'm still reading this topic.
My wtmp information was cut off exactly on December first.
I have no idea how that happend, unfortunately.

Regards,
Patrick

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Retaining "last" log (wtmp) capability