SUMMARY: Displaying last login time for a user

From: Chris Knorr (
Date: 07/29/05

  • Next message: "anyway to recover deleted "sets" on MAA1000 SAN"
    Date: Fri, 29 Jul 2005 10:26:25 -0400

    How do you determine the last time any of the users on my Tru64 Unix V5.1B
    system have logged in.

    I got a lot of useful responses to this, all were useful in different wants.
    I ultimately ended up using a script written by Chris Wincentsen that uses

    It certainly looks from the reference page like lastlogin should do what you

    Since /usr/sbin/acct/lastlogin is in fact just a shell script, you should be
    able to read it and figure out what it's doing. From a quick read, it looks
    like it expects to find the information that it needs in the


    file, which it looks like it creates if it's not present. This of course
    begs the question of how that file is supposed to be kept up to date; I
    suspect you need to run accounting to have the data that the lastlogin
    script wants present in that file, but I could be off base, I have never had
    to actually create and maintain accounting on a system myself.

    The data you want is probably somewhere in the wtmp file, since in most
    cases, that's where the accounting data is kept by the basic tools, but
    getting it into other useful forms is a challenge if you haven't mastered
    the ins and outs of the Berkeley UNIX accounting that's at the core of the
    Tru64 UNIX implementation.
    Not an exact answer for you, but this may help. I assume that you are using
    C2 (enhanced) security, so "edauth -g" will get you all of the information
    for a user. Then, look at the "u_suclog" field. This will give the last
    successful login time, relative to the start of the epoch, for instance
    "1121952221". Then,

    perl -e 'print localtime(1121952221)."\n"'
    will convert that time to something useful:
       Thu Jul 21 08:23:41 2005
    The "last" command can be used to read the /var/adm/wtmp file,
    which also shows login duration times.
    If you have Enhanced Security enabled and haven't disabled login logging in
    the Enhanced Security default file, the information you're looking for is in
    the Enhanced Security account database, auth.db. You can look at this
    database with the edauth tool, but you'll have to convert the times from
    time_t format. See the Security manual and the man pages for edauth,
    prpasswd, and default.

    If you don't have Enhanced Security enabled or it's enabled but you have to
    disable login logging, try enabling the audit subsystem. You can configure
    the audit subsystem to log all kinds of neat stuff, including logins and
    logouts. See the Security manual for more information on the audit

  • Next message: "anyway to recover deleted "sets" on MAA1000 SAN"