Please be sure of what you're checking for before you just write something to scan the logs though.

When first checking a system for what you think is suspicious activity, do it by hand to learn the system's quirks.

After paging through last with (more|less) a couple times, try to find a reasonable grep command or two that would find things you noticed while paging. Then check last (by paging through it again) to make sure that your grep command cought everything it was purposed towards.

Once you have a completely familial understanding with what you're looking for in the log, then writing a script to speed up the process is good because you can do your work faster at the same exactness. If you just start by writing a script you might leave something out that's important (albeit possibly only in certain cases).

Sorry to go off topic, and hopefully this didn't come out as a rant; i've just seen too many admins too worried about not having to scroll through logs to care about what they were actually trying to do when they did so (myself included :-). Perl is a boon to admins, but it shouldn't be a crutch.

HTH,
jynx