I found that the first character of login in the logout record of each login/logout pair missing, as illustrated by the attached file (logins and host ips changed with an hex editor to anonymize the data). This in contrast to the local wtmp file.
I discovered this anomaly when I ran a perl script on radwtmp (which was designed to be ran on wtmp and used to find hackers - strange logins not found in the local password database).
The native 'last' command operated on radwtmp with normal results, so I suspect 'last' uses as index the host field instead of the name field.
I am running freeradius-1.1.7 and then freeradius-2.0.1 on FreeBSD 6.3-RELEASE, with the same results.
Best Regards David
Attachment:
radwtmp
Description: Binary data