followup on utmp/wtmp logging?

Mook, R.S. van (CIV) R.S.vanMook at civ.utwente.nl
Tue Nov 23 13:01:56 GMT 1999 

I've just developed a few tricks for myself to sort-of-achieve the same
thing,
it is only tested on one system, Your Mileage May Vary and Completely At
Your Own Risk:

Add to every share in smb.conf:
include = /etc/samba/logging.conf

/etc/samba/logging.conf:
root preexec = echo "LOGIN %u $PPID \"%S\" %M %T" >> /var/log/utmp-samba"
root postexec= echo "LOGOUT %u $PPID \"%S\" %M %T" >>/var/log/utmp-samba"

Which results in a file like this:
LOGOUT nobody 29330 "apps" cam031312.student.utwente.nl 1999/11/22 18:03:40
LOGIN remco 29493 "remco" arie 1999/11/22 21:10:50
LOGIN snt 29493 "snt" arie 1999/11/22 21:11:02
LOGOUT snt 29493 "snt" arie 1999/11/22 21:49:05
LOGOUT remco 29493 "remco" arie 1999/11/22 21:49:05
LOGIN remco 29493 "remco" arie 1999/11/22 23:04:09
LOGIN nobody 31304 "apps" cal038041.student.utwente.nl 1999/11/23 09:40:59
LOGIN nobody 31335 "apps" cal007205.student.utwente.nl 1999/11/23 11:04:37
LOGOUT nobody 31335 "apps" cal007205.student.utwente.nl 1999/11/23 11:07:17
LOGOUT nobody 31304 "apps" cal038041.student.utwente.nl 1999/11/23 12:37:51


Which can be parsed with the following perl script:
#! /usr/bin/perl

# quick hack to emulate a 'last' command for samba

use Time::Local;
use strict;

my ($search,$max);


sub usage {
print << "EOF";
smblast - 'last' command for Samba.
Version 0.1, Remco van Mook 1999
Usage: smblast [-num] [username]
EOF
}

foreach (@ARGV) { 
  if (/^-(\d+)/) { $max=$1 } elsif (! /^$/) { $search=$_ }
  if (/-h/) { usage; exit 0}
}  

sub bytime { $b->[0] <=> $a->[0] }

open (IN,"/var/log/utmp-samba");

my %log;
while (<IN>) {
    my ($action,$pid,$share,$user,$host,$date,$time);
    (/^(LOGIN|LOGOUT) (.+)? (.+)? "(.+)?" (.+)? (.+)? (.+)$/);
    ($action,$user,$pid,$share,$host,$date,$time)=($1,$2,$3,$4,$5,$6,$7);
    if ($action eq "LOGIN") { 
      $log{"$share/$user/$pid"}[0]=$date;
      $log{"$share/$user/$pid"}[1]=$time;
      $log{"$share/$user/$pid"}[4]=$host;
    } else { 
      $log{"$share/$user/$pid"}[2]=$date;
      $log{"$share/$user/$pid"}[3]=$time; 
      $log{"$share/$user/$pid"}[5]=$host;
    }
}
close IN;

my $key;
my $counter;
my @output;
$counter=0;
foreach $key (keys %log) {
  my ($itime,$ihour,$imin,$isec,$iday,$imon,$iyear)=0;
  my ($otime,$ohour,$omin,$osec,$oday,$omon,$oyear)=0;
  my $rest;
  my ($share,$user,$pid) = split ("/",$key);
  if ((! $search) or ($search eq $user)) { 
    my $host=$log{$key}[4]||$log{$key}[5];
    if ($log{$key}[1].$log{$key}[0] ne "") { 
      ($ihour,$imin,$isec)=split(":",$log{$key}[1]);
      ($iyear,$imon,$iday)=split("/",$log{$key}[0]);
      $itime=timelocal($isec,$imin,$ihour,$iday,$imon,$iyear-1900);
    } else {
      $itime=0;
      $iday=1;
      $ihour="00";
      $imin="00";
      $imon=1;
    }
    my
$day=("Sun","Mon","Tue","Wed","Thu","Fri","Sat","Sun")[(localtime($itime))[6
]];
    my
$mon=("Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec
")[$imon-1];
    if ($log{$key}[3].$log{$key}[2] ne "") {
      ($ohour,$omin,$osec)=split(":",$log{$key}[3]);
      ($oyear,$omon,$oday)=split("/",$log{$key}[2]);
      $otime=timelocal($osec,$omin,$ohour,$oday,$omon,$oyear-1900);
    }
    if ($otime != 0) { 
      my $timediff=$otime-$itime;
      my
$dur=sprintf("(%2s:%2s)",int($timediff/3600),int(($timediff%3600)/60));
      $dur=~s/ /0/g;
      $rest=sprintf("- %2s:%2s %8s",$ohour,$omin,$dur);
    } else {
      $rest="  still logged in";
    }
    $output[$counter][0]=$itime;
    $output[$counter][1]=sprintf ("%-8s SMB/%-8s %-16s %3s %3s %2s %2s:%2s
%s\n",$user,$share,substr($host,0,16),$day,$mon,$iday,$ihour,$imin,$rest);
    $counter++;
  }
}

my @sorted = sort bytime @output;
if ($max) { @sorted=splice(@sorted,0,$max) } 

foreach (@sorted) {
 print ${$_}[1];
}

Remember it's just a quick hack, not particularly elegant or efficient :)

You get the following output:
nobody   SMB/apps     cal007205.studen Thu Nov 23 11:04 - 11:07  (00:02)
nobody   SMB/apps     cal038041.studen Thu Nov 23 09:40 - 12:37  (02:56)
snt      SMB/snt      arie             Wed Nov 22 21:11 - 21:49  (00:38)
nobody   SMB/apps     cam031312.studen Wed Nov 22 18:03 - 18:03  (00:00)
nobody   SMB/Install  cam031312.studen Wed Nov 22 18:03 - 18:03  (00:00)
nobody   SMB/Install  cal040031.studen Wed Nov 22 17:21 - 17:21  (00:00)

Surely the logging.conf part could be integrated in some form into smbd.

Hope this helps,

Remco

-----Original message-----
Van: Harald Hannelius [mailto:Harald at iki.fi]
Verzonden: Tuesday, November 23, 1999 11:09 AM
Aan: Multiple recipients of list SAMBA-TECHNICAL
Onderwerp: followup on utmp/wtmp logging?



Has there been any more talk about the recent question about utmp/wtmp
support in samba?

This would really be a nice feature. It would abstract the windows clients
even more and one could use standard unix tools when messaging. Above all,
I would get the users login/logouts logged properly.

===========================================================        
Harald H Hannelius | Harald at iki.fi      | GSM +358405470870
===========================================================

More information about the samba-technical mailing list