14

Running the lastlog command correctly lists all users on my system (same as /etc/passwd entries). However all are marked as **Never logged in**, including the account I'm currently logged in to. I noticed that my /var/log/lastlog file is also empty.

Edit: /var/log/lastlog is not empty, it is a binary file and I was trying to cat it, causing nothing to display. less displays a binary file.

Does anyone have any insight as to why this would happen? I've never manually edited /var/log/lastlog.

Edit: Output of ls -al /var/log/lastlog:

-rw-rw-r-- 1 root utmp 292584 2010-05-12 18:14 /var/log/lastlog

goric
  • 3,816
  • Did you check that you have free space on your /var containing filesystem ? Also please add the output from: ls -la /var/log/lastlog – João Pinto Jan 21 '11 at 00:08
  • @João: Good suggestion, but df lists 61% free on that filesystem – goric Jan 21 '11 at 00:16
  • Can you post the output of lastlog? Are you sure they all say never logged in? Mine shows that only two accounts have logged in (root, and my own user account). The rest are a bunch of system accounts like pulse, avahi, sshd which have never actually had a log in. Also, /var/log/lastlog shouldn't be empty, but it is (according to less) a binary file that requires the lastlog program to parse. – djeikyb Jan 21 '11 at 01:17
  • See my edits: the file is not empty, I was trying to cat it. But all of the accounts do list Never logged in. lastlog | grep -v Never produces an empty output. – goric Jan 21 '11 at 01:24

3 Answers3

10

Login via gdm is not logged in lastlog. In this respect ck-history --last might give you more information.

To test this, go to a console (Ctrl+Alt+F1), log in, then come back to Gnome (Alt+F7) and check the output of lastlog.

Jorge Castro
  • 71,754
arrange
  • 14,959
  • You're right - it was my misunderstanding of what lastlog does. Thanks. – goric Jan 21 '11 at 23:19
  • The man page isn't very clear about why lastlog won't work on a gdm system, but arrange's use of ck-history --last works well, especially if you pipe that to grep tty7. Thanks! – Scaine Jan 22 '11 at 13:34
0

This is a best solution for me

lastlog | grep -v Never | grep -v Username | awk '{print ENVIRON["HOSTNAME"] ";"$1";"$4" "$5" "$6" "$7" "$8" "$9}'

Regards

user167232
  • 1
0

In my opinion, this should be listed as a bug for gdm. chkrootkit reports a problem whenever /var/log/lastlog is empty:

 Checking `z2'...        user xxxx deleted or never logged from lastlog!
dsa42
  • 11