Tuesday, October 9, 2012

# how to read wtmp # script

Perl Script to parse wtmp logs

I can't take credit for this fully, partly because I had some help from PerlMonks and from Linux & Unix forum to make this script work. So, I'll share it out with you folks. I have tested it on Suse and Redhat so it ought to work on these platforms for you as well

# vi wtmp.pl

@type = (
    "Empty", "Run Lvl", "Boot", "New Time", "Old Time", "Init",
    "Login", "Normal",  "Term", "Account"
$recs = "";
while (<>) {
    $recs .= $_;
foreach ( split( /(.{384})/s, $recs ) ) {
    next if length($_) == 0 ;
    my ( $type, $pid, $line, $inittab, $user, $host, $t1, $t2, $t3, $t4, $t5 ) =
      $_ =~ /(.{4})(.{4})(.{32})(.{4})(.{32})(.{256})(.{4})(.{4})(.{4})(.{4})(.{4})/s;
    if ( defined $line && $line =~ /\w/ ) {
        $line =~ s/\
        $host =~ s/\x00+//g;
        $user =~ s/\x00+//g;
            "%s %-8s %-12s %10s %-45s \n",
            scalar( gmtime( unpack( "I4", $t3 ) ) ),
              unpack( "
I4", $type )
printf "\n" 

On your server, run the script as such

# wtmp.pl < /var/log/wtmp > /tmp/wtmp-report

You could change the input path to wherever your wtmp is stored. The final report opens with wordpad. In notepad the spaces are not recognized and it writes in a continuous lines so please use Microsoft Word or wordpad to read the report!

No comments:

Post a Comment