parse NetBSD lastlogx record files

[jtmoon79]

Parse NetBSD lastlogx record struct files.

Current behavior

/var/log/lastlogx files cannot be processed.

Suggested behavior

Parse lastlogx files.

Other

Attached are lastlogx files (zipped) scraped from NetBSD 9.3 systems.

• lastlogx-x86_64.zip
• lastlogx-x86_32.zip

This struct on x86_32 platform is 428 bytes and defined as:

lastlogx               sizeof 428
lastlogx.ll_tv    @  0 sizeof  12
lastlogx.ll_line  @ 12 sizeof  32
lastlogx.ll_host  @ 44 sizeof 256
lastlogx.ll_ss    @300 sizeof 128

This struct on x86_64 platform is 432 bytes and defined as:

lastlogx               sizeof 432
lastlogx.ll_tv    @  0 sizeof  16
lastlogx.ll_line  @ 16 sizeof  32
lastlogx.ll_host  @ 48 sizeof 256
lastlogx.ll_ss    @304 sizeof 128

However, the lastlogx files attached are 65536 bytes (not divisible by 428 or 432).

Looking at the code in lastlogin.c, the "read" call uses a function pointer so it's difficult to trace by reading published source code. But these files appear to be more complex that a flat record struct file like utmp.