Wednesday, November 21, 2007

Determine the Number of Login/Logout Sessions - UNIX

Here is an easy way to determine how many login/logout sessions were recorded for a particular workstation. I will employ a few common UNIX system administration commands to fetch, filter, and then count the information derived from the wtmpx file. And by the way, my wtmpx file has not been cleared out in awhile.

# csh
# last | grep esoft | wc -l
24

In some organizations, logging in as the root user via the console is restricted. Check to see if anyone has logged in as root via the console.
# last | grep console | grep root | wc -l
20

Recorded Reboots
# last | awk '{print $1}’ | grep reboot | wc -l
36

Number of logins for each users/pseudo users (/bin/ later added per ux-admin's suggestion)
# foreach i (`last | awk '{print $1}' | sort | uniq | grep -v wtmp`)
? /bin/echo $i `last | grep $i | wc -l`
? end
ftp 16
reboot 36
restrict 1
root 167
esoft 24

Total logins for users/pseudo users
# last | awk '{print $1}' | grep '.' | grep -v wtmp | wc -l
244

5 comments:

UX-admin said...

You could save yourself a few CPU cycles, since `last` can take a while on a busy system with lots of users, like so:

% last esoft | wc -l
24

% last | awk '/reboot/ {print $1;}' | wc -l

or alternatively:

% last | awk 'BEGIN {i = 0;} /reboot/ {++i;} END {print i;}'

Of course, one should be careful when using AWK. Depending on the situation, stringing specialized utilities together can be faster than doing everything in AWK, like you did above. As always, the `timex` command is king, helping to determine the least intensive CPU combo.

"Number of logins for each users/pseudo users
# foreach i (`last | awk '{print $1}' | sort | uniq | grep -v wtmp`)
? echo $i `last | grep $i | wc -l`
? end"

Or, simplified:

# foreach i (`last | awk '! /wtmp/ {print $1;}' | sort -u`)
? /bin/echo "$i" `last | grep "$i" | wc -l`
? end

A careful reader might have noticed `/bin/echo` instead of just `echo`. What's the difference?

Well, `echo` will usually be a shell-built in command, and those normally don't support metacharacters such as "\c", "\t" and the like, whereas /bin/echo handles these. This comes handy when doing pretty-print formatting, especially with automation.

Cheers!

esofthub said...

ux-admin,

Those are some excellent points and thanks for adding to the discussion. Happy Thanksgiving, too. :)

Yimster said...

I read someplace if you delete wtmpx file you cannot login, is that true? I know wtmpx is where all the login/logout logged but wouldn't think it would affect a login.

esofthub said...

Yimster,

I ran a test based on your question. I had no problem logging in as root (CLI) or as normal user (console) after mv the wtmpx file to something else.

David said...

Running last to get the users and last again for each user would never finish on some machines. I prefer:

bash-2.05$ last | awk '{print $1}' | sort | uniq -c | sort -n
1 nagar
1 nola0066
2 nyga0031
3 nicho013
4 nmr
8 naughton
9 nts
9 ntswebd

Or if you prefer username first:

bash-2.05$ last | awk '{print $1}' | sort | uniq -c | sort -n | awk '{print $2, $1}'
nagar 1
nola0066 1
nyga0031 2
nicho013 3
nmr 4
naughton 8
nts 9
ntswebd 9

Bash Cures Cancer