Friday, 8 October 2010

Resetting the lastlog file in Linux

Sometimes (like when you're creating a VM image) you just want to wipe out the lastlog database and make it all clean new and sexy.

lastlog is a sparse file that contains 'maxuid' lots of 'struct lastlog' space. Mostly it's lots of empty space until people login to the machine.

There doesn't seem to be a tool to clear out previous logins, and removing it or using 'touch' means that you lose the 'never logged in' entries for most of the userids.  Using 'adduser' and then 'deluser' just adds needless cruft to your system.

So the way to clear it down is to use 'dd' to create a sparse file the same size as the current lastlog thus:

llsize=$(stat -c%s /var/log/lastlog)
dd if=/dev/zero of=/var/log/lastlog bs=1 count=0 seek=$llsize

However what we really need is a '-r' reset option on the lastlog command (similar  to the one on the faillog command).