Retaining "last" log (wtmp) capability

Leopard gurus,
As some people have noticed, Leopard no longer writes/retains
"wtmp" files, which means the "last" command has been crippled,
because it does not go back very far.
"last" is incredibly useful for security (to keep an eye on
suspicious logins at suspicious times from suspicious places).
Why has "last" been crippled in this way? Is there an alternative
way to retain and list that same valuable information i.e., username,
origin of the login session, time of login, and time of logout?
Yes, I have already tried:
syslog -k Facility com.apple.system.lastlog
syslog -k Facility com.apple.system.utmpx
and they do not list the information equivalent to
the "last" command. Further, the log file "asl.db"
does not seem to be retaining even the above
not-very-usefully-presented information for a long time,
as promised by "man syslogd".
Thanks for any help,
Raja.

To be clear, what I meant is that while it DOES retain/display this values, however it 'resets/updates' this value many times, and in doing so, the data displayed is also truncated (yes, both at the same time, not so much one causes the other, obviously). It is the arbitrary time to the reset of this data that is what is getting me irked.
I tried to look around and see if it was a service or other daemon that was cleaning up the file too often, but I have found only newsyslog.conf that mentions /var/log/wtmp. However according to `man last` Apple did away with the use of wtmp, and now moved to /var/run/utmpx. But this file is WAAAY too small to contain the login info of HUNDREDS of users (checking wiht od -a utmpx looks like there are 2 or 3 records and they are 'stale').
So, long story short, is the data looks now to be all in asl. Asl.db contains LOTS of information (it is the replacement for txt files for the 'old' syslog) but I cannot control when `last` resets the data displayed in what was wtmp.
The closest thing that I am trying next to see if something is 'in the way' is that POSSIBLY it is some 'hidden' feature of diskspacemonitor. I have one drive that rides the 90% full mark.
Filesystem Size Used Avail Capacity Mounted
/dev/disk6s3 1.36T 1.2T 158.58G 89% /Volumes/*HIDDEN
I have changed diskspacemonitor to alert at 90% and cleanup @ 95% but I might have to take that to something like 92 or 95 and 98 just to be sure and I am uncomfortable with that level of 'fullness' on this drive, and turning to off will probably never be possible (I think I would stop breathing if it was ever found to be off!)
Whew! O.K. so back on track...
So, I cannot tell who has remotely connected to my server unless I am almost constantly running and capturing this data for historical reference. As an example, I have done this (cataloging this data) every 1-4 minutes for the past 24 hours and the wtmp has reset that date now 3 times.
wtmp begins Sun Aug 24 11:29
wtmp begins Mon Aug 25 06:56
wtmp begins Mon Aug 25 21:12
As you can see, this means I only can see the last ~18 hours (or less) of login information. I have submitted this to radar and thought I'd keep the community up to speed (well ,the one person that seem to have noticed it). To be honest, I did not notice this until early this week. I was only checking for things that happened earlier in the day on the server and I must have been under the impression that it reset once or twice in odd places and it never bothered me, as this never came onto my radar as as annoying as it is now.
Peter
P.S. I will troll around in the Unix and Terminal spots shortly, Thanks.

Similar Messages

  • Query all users when they last logged on?

    Hi,
    how can I run a script to query all users to see when they last logged on. I want to be able to select a cut off date to exclude current users.
    Any ideas?
    Thanks
    Paul

    Try using the 'last' command from the Terminal, or read the wtmp logs directly.
    (33318)

  • Status Report with Last Logged on User on a deployment

    Hi all,
    I have been trying to find a report that will telling me the deployment status of an application and against the workstations the last logged on user.
    Is there such a report or will I have to customize a report to do that?
    Cheers

    Hello,
    a report that will telling me the deployment status of an application
    You can refer to compliance report.
    For last logged on user, you can find the information in client propertities. If you want to query the information, you need create a customized report.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • How to find MAC of phone last logged into by specific User

    Greetings, 
    How can I find the MAC of the phone a User last logged in to?  The user is currently not logged in to any phone. 
    Thank you 

    thank you Jaime
    is this intrusive?  will the pulling of EM traces affect CUCM performance or is it a simple task? 
    can this be done via RTMT?
    please provide instructions if possible.
    thank you again

  • After Effects CS5.5 error: crash in progress last logged message was 3300 DynamicLink 5

    Randomly when I start after effects CS5.5 and premiere pro CS5.5 I get the following error:
    After effects error: crash in progress last logged message was <3300> <DynamicLink> <5> 000000001AAB2080
    I have all programs updated.
    PC Specs:
    i7 930 @ 2.8GHz
    12GB RAM
    Nvidia GTX 570
    Windows 7 Proffesional 64bit
    Thanks in advance guys!

    What does "randomly" mean? What do you do, when the issue appears? Do you run games before? Use other programs? Also check the Event Viewer for the exact cause...
    Mylenium

  • After effects alert last log message

    What to do when I get this message when opening after effects cs6?
    cs6 after effects Alert last log message was: <140735200987488> >GPUManager> <2>Sniffer Result Code: 3. Generating crash log, which may take a few minutes.
    I just cannot open after effects anymore.

    Hi,
    Now I here again, my Mac os X version is 10.7.5
    Prosessor is 2.66ghz intel core 2 duo
    memory 4gt 1067 mhz DDR3
    Graphic card: NVIDIA GeForce 9400 256 MB
    After effects version is 11.0 if I am checking it right
    I have used after effects about three mounths and suddenly it just quiet working. That´s not good for my work. Luckily I got almost everything in premiere pro. Because I can´t even use files from AE in Premiere pro.
    I have rebooted machine.
    I haven´t reinstall AE yet. I will.
    How do I trash preferences and from where? I cannot open AE at all.

  • Custom report software installed with last logged on user.

    Can someone please help, I'd like to create a custom report: Specific software installed on a computer which includes last logged on user. I can do this by query but need a custom report for none ConfigMgr users.

    SELECT DISTINCT
    TOP (100) PERCENT dbo.v_GS_COMPUTER_SYSTEM.Name0 AS [Computer name], dbo.v_GS_ADD_REMOVE_PROGRAMS.DisplayName0,
    dbo.v_GS_ADD_REMOVE_PROGRAMS.Version0, dbo.v_R_System.User_Name0, dbo.v_R_System.User_Domain0 AS [User domain],
    dbo.v_GS_COMPUTER_SYSTEM.Domain0 AS [Computer domain], dbo.v_R_System.AD_Site_Name0 AS [Computer AD Site]
    FROM dbo.v_GS_ADD_REMOVE_PROGRAMS INNER JOIN
    dbo.v_GS_COMPUTER_SYSTEM ON dbo.v_GS_ADD_REMOVE_PROGRAMS.ResourceID = dbo.v_GS_COMPUTER_SYSTEM.ResourceID INNER JOIN
    dbo.v_R_System ON dbo.v_GS_COMPUTER_SYSTEM.ResourceID = dbo.v_R_System.ResourceID
    WHERE (dbo.v_GS_ADD_REMOVE_PROGRAMS.DisplayName0 LIKE N'Adobe Shockwave Player%')
    ORDER BY [Computer name]
    Keep in mind that this query will only find x86 software titles. Use 
    v_ADD_REMOVE_PROGRAMS
    instead to get both.
    http://www.enhansoft.com/

  • SCCM report to show last logged on user and the Active Directory department attribute of that user.

    I need to create an SCCM report to show last logged on user on all machines and the Active Directory department attribute of that last logged on user.

    You problem is here.
    right
    join v_R_User USR on USR.ResourceID
    = CS.ResourceID
    USR.ResourceID != CS.ResourceID, you need to map the username to the user logon to the PC. By using the user’s department information you will
    end up with unreliable results.
    Anyways you need to make these changes to your query.
    left
    join v_R_User USR on USR.Unique_User_Name0
    = CS.UserName0
    http://www.enhansoft.com/

  • I need a script that will find the computer a user last logged into.

    I am still learning scripting, I need a script that will allow me to pull in usernames from a csv file. Find what computer they last logged into and output that to an csv file.
    I have looked all over and can't find exactly what I need.
     I found the following script but I need  to add the resuitsize unlimited but can not figure out where to put it we have a large environment. Also I need to be able to grab username from a csv file. Any assistance you can provide is appreciated.
    ##  Find out what computers a user is logged into on your domain by running the script
    ##  and entering in the requested logon id for the user.
    ##  This script requires the free Quest ActiveRoles Management Shell for Active Directory
    ##  snapin  http://www.quest.com/powershell/activeroles-server.aspx
    Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
    $ErrorActionPreference = "SilentlyContinue"
    # Retrieve Username to search for, error checks to make sure the username
    # is not blank and that it exists in Active Directory
    Function Get-Username {
    $Global:Username = Read-Host "Enter username you want to search for"
    if ($Username -eq $null){
    Write-Host "Username cannot be blank, please re-enter username!!!!!"
    Get-Username}
    $UserCheck = Get-QADUser -SamAccountName $Username
    if ($UserCheck -eq $null){
    Write-Host "Invalid username, please verify this is the logon id for the account"
    Get-Username}
    get-username resultsize unlimited
    $computers = Get-QADComputer | where {$_.accountisdisabled -eq $false}
    foreach ($comp in $computers)
    $Computer = $comp.Name
    $ping = new-object System.Net.NetworkInformation.Ping
      $Reply = $null
      $Reply = $ping.send($Computer)
      if($Reply.status -like 'Success'){
    #Get explorer.exe processes
    $proc = gwmi win32_process -computer $Computer -Filter "Name = 'explorer.exe'"
    #Search collection of processes for username
    ForEach ($p in $proc) {
    $temp = ($p.GetOwner()).User
    if ($temp -eq $Username){
    write-host "$Username is logged on $Computer"

    If you are querying by user "resultset size" will be of no use.
    You also have functions that are never used and the body code doe snot look for users.
    Here is what you scrip looks like if printed well.  It is just a jumble of pasted together and unrelated items.
    ## Find out what computers a user is logged into on your domain by running the script
    ## and entering in the requested logon id for the user.
    ## This script requires the free Quest ActiveRoles Management Shell for Active Directory
    ## snapin http://www.quest.com/powershell/activeroles-server.aspx
    Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
    $ErrorActionPreference = "SilentlyContinue"
    # Retrieve Username to search for, error checks to make sure the username
    # is not blank and that it exists in Active Directory
    Function Get-Username {
    $Global:Username = Read-Host "Enter username you want to search for"
    if ($Username -eq $null) {
    Write-Host "Username cannot be blank, please re-enter username!!!!!"
    Get-Username
    $UserCheck = Get-QADUser -SamAccountName $Username
    if ($UserCheck -eq $null) {
    Write-Host "Invalid username, please verify this is the logon id for the account"
    Get-Username
    get-username resultsize unlimited
    $computers = Get-QADComputer | where { $_.accountisdisabled -eq $false }
    foreach ($comp in $computers) {
    $Computer = $comp.Name
    $ping = new-object System.Net.NetworkInformation.Ping
    $Reply = $null
    $Reply = $ping.send($Computer)
    if ($Reply.status -like 'Success') {
    #Get explorer.exe processes
    $proc = gwmi win32_process -computer $Computer -Filter "Name = 'explorer.exe'"
    #Search collection of processes for username
    ForEach ($p in $proc) {
    $temp = ($p.GetOwner()).User
    if ($temp -eq $Username) {
    write-host "$Username is logged on $Computer"
    I suggest finding the original code then use the learning link at the top of this page to help you understand how it works in Powershell.
    ¯\_(ツ)_/¯

  • Last logged on by in exchange 2010 shows wrong users name.

    Dear All,
    i am having problem with wrong information display at last logged on by user at exchange 2010.
    i dont have given any users to full access or send as permission.
    please help to resolved this problem
    Sunil
    SUNIL PATEL SYSTEM ADMINISTRATOR

    You'll have to post more information and more clear problem statement to receive useful help.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

  • How to check last log backup happend in sql server

    Hi All,
    How to check last log backup happend in sql server
    Thanks in advance
    Shashikala

    Last Tlog Bakcup details
    SELECT
       CONVERT(CHAR(100), SERVERPROPERTY('Servername')) AS Server,
       msdb.dbo.backupset.database_name,
       MAX(msdb.dbo.backupset.backup_finish_date) AS last_db_backup_date
    FROM   msdb.dbo.backupmediafamily
       INNER JOIN msdb.dbo.backupset ON msdb.dbo.backupmediafamily.media_set_id = msdb.dbo.backupset.media_set_id
    WHERE  msdb..backupset.type = 'L'
    GROUP BY
       msdb.dbo.backupset.database_name
    ORDER BY
       msdb.dbo.backupset.database_name
    --Most Recent Database Backup FULL for Each Database
    SELECT 
       CONVERT(CHAR(100), SERVERPROPERTY('Servername')) AS Server,
       msdb.dbo.backupset.database_name, 
       MAX(msdb.dbo.backupset.backup_finish_date) AS last_db_backup_date
    FROM   msdb.dbo.backupmediafamily 
       INNER JOIN msdb.dbo.backupset ON msdb.dbo.backupmediafamily.media_set_id = msdb.dbo.backupset.media_set_id 
    WHERE  msdb..backupset.type = 'D'
    GROUP BY
       msdb.dbo.backupset.database_name 
    ORDER BY 
       msdb.dbo.backupset.database_name
    http://www.mssqltips.com/sqlservertip/1601/script-to-retrieve-sql-server-database-backup-history-and-no-backups/
    Database -- > Right click -- > Properties -- >
    Raju Rasagounder Sr MSSQL DBA

  • User Profile -- Last Log Entry - The Parameter is Incorrect

    HI
    I see an error in the SharedServices Provider serction under UserProfile . It says
    LAST LOG Entry : The Parameter is Incorrect
    This happened after i turned on search setting and Crawling . Is this anything to worry about ? what is this error message mean?
    Satis

    Hi, I've found a solution that works fine on this Post:
    Why this happens :
     - Profmain.aspx calls importStatus.LastCrawlSeedStatus to determine if an error occurred during the last profile import.
    - If the LastCrawlSeedStatus value is not 0, it checks importStatus.LastLogEntry and provides the text message from the log
    - LastCrawlSeedStatus is a property of the content source People_Import (Hidden Content Source)
    - If the registry
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0\Search\Applications\<GUID>\Gather\ProfileImport\ContentSources\0\StartPages\0
    Or if the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0\Search\Applications\<GUID>\Gather\ProfileImport\ContentSources\1\StartPages\0
    - If the value to anything other than
    0, we can reproduce problem
    - The search account should have full control on this registry key
    - The SSP account should have read access to this key.
    How to Fix it :-
    - Open the registry on the indexer server
    - Checke the value of "lastCrawlSeedStatus" in the registry at
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0\Search\Applications\<GUID>\Gather\ProfileImport\ContentSources\0\StartPages\0
    - And checke the value of "lastCrawlSeedStatus" in the registry at
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0\Search\Applications\<GUID>\Gather\ProfileImport\ContentSources\1\StartPages\0
    - We changed the value to
    0
    - Restart search service on
    Index server (better
    restart the server if you can due to too long waiting for stopping and starting the Office SharePoint Search Services)
    I hope to help all colleagues that have this issue.
    Ciao.

  • Please Help After Effects Error:Crash in progrss.Last logged message was: 8020 GPU manager Sniffer Result Code:3

    Tell us about your computer hardware.
    A:Here is my specs:
    i-7 4770 motherboard
    8 gb of Ram
    What operating system?
    A:Windows 7 64 bit OS
    If you are getting error message(s), what is the full text of the error message(s)?
    A:After Effects Error:Crash in progrss.Last logged message was:<8020><GPU manager>Sniffer Result Code:3
    What were you doing when the problem occurred? What is the exact sequence of steps that you are taking?
    A: Opened it and the error started

    @Todd_Kopriva
    thank you very much it works now

  • Today I stupidly tried to install CUDA accelerator forgetting I have Intel/AMD combo graphics card and not NVidia. Now when I try to launch AE or PremierePro I get this Last log message was: 140735120521568 GPUManager 2 Sniffer Result Code: 3 Help

    Today I stupidly tried to install CUDA accelerator forgetting I have Intel/AMD combo graphics card and not NVidia. Now when I try to launch AE or PremierePro I get this Last log message was: <140735120521568> <GPUManager> <2> Sniffer Result Code: 3.  I have trashed the CUDA program and reinstalled Premiere and AE but no joy.  Same message followed by another error box with options to Retry, Send to Apple or ignore.  I have tried all 3 options but nothing works!  Every time I launch either program same message appears.

    Hi? today i too have this problem.
    I found a solution here: https://discussions.apple.com/message/25137524#25137524
    Now all good.
    Good luck!

  • After Effects error: Crash in progress.Last logged message was: 7748 ae.blitpipe 2 Making New context

    After Effects error: Crash in progress.Last logged message was:<7748> <ae.blitpipe><2>Making New context ....how can i Fix it??help me!!place

    Try the forum for After Effects.

Maybe you are looking for

  • Why can't i use installed fonts in microsoft office?

    i downloaded and installed new fonts to font book and can use them in mac-based applications, but they do not show up in the font list in microsoft office. how can i get them to load in office? thanks!

  • Item level Condition types appearnance by default in PO

    Dear all, I have created the pricing procedure. But, While creating a PO, I want the condition types to appear by default so that I can just enter the discount  and freight %. in the input field. I do not want to enter the condition types for item ma

  • Splitting a RFC

    Dear all, we received the RFC CONTROLRECIPEDOWNLOAD (CRD) from SAP system. Because a CRD could contain two (or more) messages for different receivers, we need to split and save the incoming messages into files and save them to PI file system. Every m

  • [svn:osmf:] 12257: Extending trait resolver related unit tests, and fixing found malfunctions.

    Revision: 12257 Revision: 12257 Author:   [email protected] Date:     2009-11-27 13:01:04 -0800 (Fri, 27 Nov 2009) Log Message: Extending trait resolver related unit tests, and fixing found malfunctions. Modified Paths:     osmf/trunk/framework/Media

  • Default Setting on List when exporting out of SAP

    We have just upgraded to ECC6 one of our users ran a report and when they selected the list they mistakenly ticked always use selected format. This was not required and I cannot find how to reset this to the default Regards Nick J