====== User logs ======

===== Lastlog =====

lastlog command prints the last login times for system accounts. Login information is read from the file /var/log/lastlog.

To print the last login of all the users:
<cli prompt='#'>
# lastlog 
</cli>

To print the records of specified days older:
<cli prompt='#'>
# lastlog -b 10
# lastlog --before 10 
</cli>

To print the logs more recent that specified days:
<cli prompt='#'>
# lastlog -t 20
# lastlog --time 20 
</cli>

To print the last login records of specified login:
<cli prompt='#'>
# lastlog -u mike
# lastlog --user mike 
</cli>

**Why is the /var/log/lastlog file so large?** 

The lastlog file is reporting to be ~1.2TB in size. This file is large since it contains information regarding the last login for all users. The UID of nfsnobody on 64 bit systems is 4294967294 or 2^32-2, with 256kB per UID.

**This file is what we call a sparse file**. A sparse file is a file that contains **unallocated blocks** or "empty space", as it implies, it does not actually take up filesystem space.
<cli prompt='#'>
[root@LIN-HREL8 ~]# du -sh /var/log/lastlog
40K     /var/log/lastlog
[root@LIN-HREL8 ~]# ls -lh /var/log/lastlog
-rw-rw-r--. 1 root utmp 327G Nov 21 14:06 /var/log/lastlog
[root@LIN-HREL8 ~]# df -h /var
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/rhel-var  5.0G  2.4G  2.7G  47% /var
</cli>

This file can potential give problems during backup, so ignore it.