A utility for determining who was logged on the system when it last went down. This information is determined by utilizing the oft-neglected `–d' option to last(8) which allows you to specify a snapshot date and time in the format of `[[CC]YY][MMDD]hhmm[.SS]'.
On FreeBSD, one can determine when the system booted by executing `sysctl kern.boottime'. FreeBSD provides the information in micro-second precision and human readable format. This script uses that information to help you utilize the `–d' option of last(8), determining who was a victim in your last outage.
A sample output showing two users that were logged on the system:
last -d 201106161513.03 -f /var/log/wtmp
ftpuser2 ftp 192.168.1.139 Thu Jun 16 15:11 - shutdown (00:00)
root ttyv0 Thu Jun 16 15:11 - shutdown (00:00)
Everytime you execute lastdown(8) it echo's the last(8) syntax it used, allowing the trained-eye to recognize the always-full `YYYYMMDDhhmm.SS' syntax (and therefore more memorable and tolerable since it is auto-calculated). Therefore, when the following syntax appears, for example:
last -d 201104071235.20 -f /var/log/wtmp
wtmp begins Mon Jun 6 11:20:34 PDT 2011
You'll know that last(8) is telling you that the file /var/log/wtmp is unable to report on the date/time of 201104... which represents a date in April while our wtmp file starts in June (and goes to the present day). Not all is lost as newsyslog(8) is usually the culprit. I've built lastdown(8) with the following syntax (produced by executing `lastdown -h'):
$ lastdown -h
Usage: lastdown [-h] [-f FILE]OPTIONS:
-h Print this message to stderr and exit
-f FILE Optioal path to UTMP(5) log (default: /var/log/wtmp)
-# A number from 1-9 to subtract in minutes from the boot time.
A value of zero means ten. Can be passed multiple times.
Allowing us to explore further with this host, using a ``rolled-back'' version of the wtmp file. A file that begins before the date/time revealed to be the boottime.
$ lastdown -f /var/log/wtmp.^I^I
wtmp.0 wtmp.1 wtmp.2 wtmp.3
$ lastdown -f /var/log/wtmp.0
last -d 201104071235.20 -f /var/log/wtmp.0
wtmp begins Tue May 17 10:55:48 PDT 2011
$ lastdown -f /var/log/wtmp.1
last -d 201104071235.20 -f /var/log/wtmp.1
luser ttyp0 192.168.1.141 Tue Mar 15 15:42 - crash (4+09:28)
wtmp begins Thu Mar 3 16:09:39 PST 2011
Revealing that there was somebody logged in when the machine crashed. Last, but definitely not least, the script provides an easy way to look backward (in minutes) by passing any number and any combination of `–0' through `–9' arguments. You can see quite visually the impact as you add digits and see the echo'd last(8) command change. Since the script utilizes the sh(1) built-in getopts, you can hasten the process of scrolling through time by using `–007' to mean "27 minutes ago" (see above posted syntax, which also appears in the script after the venerable BSD License).