last | grep IPADDRESS
doesn't shows any line, but:
lastlog | grep IPADDRESS
does. Why?
Asked
Active
Viewed 7,524 times
3
1 Answers
2
Without more information it's hard to say, but they pull data from different sources. It's possible that's why.
last pulls from /var/log/wtmp which deals with more than just user logins. Virtually any change to the system-wide state is recorded there. For that reason it's an obvious candidate for logrotate
lastlog pulls from /var/log/lastlog which is only concerned with previous logins.
It's possible that /var/log/wtmp got rotated at some point after that user's login and that's why you're not seeing it.
To verify, you can run last | grep "wtmp begins" and if that date is after the login date given to you by lastlog then that's what happened and you would have to look in /var/log for the rotated copy of wtmp and specify it with -f for example last -f /var/log/wtmp.1 | grep IPADDRESS
Bratchley
- 16,824
- 14
- 67
- 103
lastshows IPs? Or do you need to uselast -i? – madneon Mar 23 '15 at 20:58