Even better, it's available online. Not only does it have an example on how to decode the binary format of wtmp files with unpack(), but it even has an example on using the 'last' command from within Perl.

AgentM Systems nor Nasca Enterprises nor Bone::Easy nor Macperl is responsible for the comments made by AgentM. Remember, you can build any logical system with NOR.

When first checking a system for what you think is suspicious activity, do it by hand to learn the system's quirks.

After paging through last with (more|less) a couple times, try to find a reasonable grep command or two that would find things you noticed while paging. Then check last (by paging through it again) to make sure that your grep command cought everything it was purposed towards.

Once you have a completely familial understanding with what you're looking for in the log, then writing a script to speed up the process is good because you can do your work faster at the same exactness. If you just start by writing a script you might leave something out that's important (albeit possibly only in certain cases).

Sorry to go off topic, and hopefully this didn't come out as a rant; i've just seen too many admins too worried about not having to scroll through logs to care about what they were actually trying to do when they did so (myself included :-). Perl is a boon to admins, but it shouldn't be a crutch.

HTH,
jynx