Log file that `sudo last` accesses?

macos terminal bash logs

The bash command last (needs sudo) prints out logs, which contain information on when different users log in/out of the shell.

I have been looking for the file that stores this information, that last would access. I have checked /var/log/system.log and other files within /var/log.

I have looked everywhere on the internet as well, and cannot find the location.

I have, however, confirmed that the file is within /var/log, because when I did rm -rf /var/log/, sudo last showed empty output until the next time I logged in.

Which file is it? Thanks.

(I am using OS X Mavericks if it makes a difference.)


Solution 1:

last derives its output by examining the *.launchd.events.*.stats files in /private/var/log/com.apple.launchd.

Removing the files usually restricts the last output to the last login after rebooting. Consequently some additional file/database/in-memory structure has to exist.

Removing the files doesn't work consistently.

The stats files in the respective user folders (e.g. com.apple.launchd.peruser.0 or com.apple.launchd.peruser.501) are irrelevant!

Solution 2:

The file (executable) in question is /var/run/syslog

If we execute man last we get

SEE ALSO
     lastcomm(1), utmpx(5), ac(8)

We can find utmpx in the /var/run directory Utmpx is a user accounting database of current login information. The key here is this statement found in the man page for utmpx

Traditionally, separate files would be used to store the running log of the logins and logouts (wtmpx), and the last login of each user (lastlogx). With the availability of the Apple system log facility asl(3), these separate files can be replace with log entries, which are automatically generated when utmpx entries are written.

So, utmpx is generating log entries to the OS X's syslog function. Execute the following command:

syslog | grep 'login\['

And you will get a list of all login events since the OS was installed (truncated)

May 26 17:03:12 Allans-iMac login[5572] <Notice>: USER_PROCESS: 5572 ttys003
May 26 17:26:15 Allans-iMac login[5572] <Notice>: DEAD_PROCESS: 5572 ttys003
May 27 10:10:57 Allans-iMac login[5196] <Notice>: DEAD_PROCESS: 5196 ttys002
May 27 10:10:58 Allans-iMac login[4741] <Notice>: DEAD_PROCESS: 4741 ttys001
May 27 10:11:18 Allans-iMac login[6253] <Notice>: USER_PROCESS: 6253 ttys001
May 27 10:25:45 Allans-iMac login[6281] <Notice>: USER_PROCESS: 6281 ttys002
May 27 17:17:15 Allans-iMac login[6281] <Notice>: DEAD_PROCESS: 6281 ttys002
May 27 17:17:21 Allans-iMac login[6253] <Notice>: DEAD_PROCESS: 6253 ttys001
May 28 13:40:06 Allans-iMac login[7123] <Notice>: USER_PROCESS: 7123 ttys001
May 30 09:11:25 Allans-iMac login[1213] <Notice>: USER_PROCESS: 1213 ttys000
May 30 09:11:25 Allans-iMac login[1220] <Notice>: USER_PROCESS: 1220 ttys001
May 30 09:23:19 Allans-iMac login[1220] <Notice>: DEAD_PROCESS: 1220 ttys001
May 30 09:23:19 Allans-iMac login[1213] <Notice>: DEAD_PROCESS: 1213 ttys000
May 30 20:57:16 Allans-iMac login[1695] <Notice>: USER_PROCESS: 1695 ttys000
May 30 20:57:39 Allans-iMac login[1695] <Notice>: DEAD_PROCESS: 1695 ttys000
May 31 22:33:30 Allans-iMac login[2592] <Notice>: USER_PROCESS: 2592 ttys000
Jun  3 16:46:28 Allans-iMac login[2592] <Notice>: DEAD_PROCESS: 2592 ttys000
Jun  4 20:44:43 Allans-iMac login[1789] <Notice>: USER_PROCESS: 1789 ttys000

For additional user accounting info, we can use the command ac

Executing man ac gives us 

    NAME
     ac -- display connect-time accounting

SYNOPSIS
     ac [-d] [-p] [-w file] [users ...]

DESCRIPTION
     A record of individual login and logout times are written to the system log by login(8) and launchd(8),
     respectively.  The program ac examines these records and writes the accumulated connect time (in deci-
     mal hours) for all logins to the standard output.

So, according to man ac login information is written to the system log. Executing ac gives us "If no arguments are given, ac displays the total amount of login time for all active accounts on the system."

$ ac
total     2477.23

To break it out by user:

$ ac -p
testguy      0.04
_mbsetupuser     0.39
allan     2476.74
root         0.07
total     2477.24

Solution 3:

last is using /var/log/asl/* files.

Firing within one Terminal window:

/usr/bin/sudo opensnoop

and in another one:

last

will show you this in detail.

If you want to read it from the source, here it is:

http://opensource.apple.com/release/os-x-1011/

download:

Libc-1081.1.3

extract this compressed tar file:

tar fjx Libc-1081.1.3.tar.gz

and read:

Libc-1081.1.3/gen/utmpx-darwin.c

Related

ICloud Password prompt
Disabling the trackpad from the command line
MacBook Pro refuses to boot/recover, hangs at "white screen"
How do I delete unlinked folders from iCloud.com
Macbook Air 2013 rotate screen?
How to save sent messages in same folder as message being replied to?
How can I play Blu Ray discs with my MacBook?
Improve GPS accuracy by disabling cellular data
iPhone dock connector problems, with and without accessories
AppleScript Help: Wait for Safari Page to load
How does Apple AppStore rank search results?
Why might more memory be wired in safe mode than in normal mode?