HPE Community
Operating System - HP-UX
1761330 Members
2960 Online
108901 Solutions
New Discussion юеВ

wtmp

 
SOLVED
Go to solution
Patrick Ferguson
Occasional Contributor

тАО04-11-2002 12:56 PM

тАО04-11-2002 12:56 PM

wtmp

The wtmp file under /var/adm/ is filing up my file system. I have some Network Management Software that uses remshell to poll my server from a remote box. This file just started filling up at a rate of about 1 remshd every 3 seconds. Any ideas on how I can go about troubleshooting the culprit?
unix unit
0 Kudos
Reply
6 REPLIES 6
Helen French
Honored Contributor

тАО04-11-2002 12:59 PM

тАО04-11-2002 12:59 PM

Re: wtmp

Hi,

Check the output of 'last'. This searches /var/adm/wtmp file and you can find out the issue.

# man last

HTH,
Shiju
Life is a promise, fulfill it!
0 Kudos
Reply
S.K. Chan
Honored Contributor

тАО04-11-2002 01:01 PM

тАО04-11-2002 01:01 PM

Re: wtmp

You can actually read wtmp file ..
# cd /var/adm
# /usr/sbin/acct/fwtmp < wtmp

That should give you some idea what's filling up.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО04-11-2002 01:10 PM

тАО04-11-2002 01:10 PM

Solution

Re: wtmp

Hi Patrick:

If present, this file will grow indefinitely.

If you merely want to "zero" the file after examining it (with 'last') then the proper way is to direct /dev/null into it so that the file descriptor to the file remains the same:

# cat /dev/null > /var/adm/wtmp

If you never care about last logins, you can remove the file entirely. This will stop its creation and any I/O to it. Then, if you want to use it later, touch it (or direct /dev/null to it); set its ownership to "root" and make its permissions 644.

If you wish to retain a portion of the file, you can do this:

# /usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp

This converts the binary file to an ASCII formatted one which you may edit and convert back to binary:

# /usr/sbin/acct/fwtmp -ic < /tmp/wtmp > /var/adm/wtmp

You can perform similar manipulations with the 'btmp' data for "bad" logins.

Regards!

...JRF...
Reply
hpuxrox
Respected Contributor

тАО04-11-2002 01:10 PM

тАО04-11-2002 01:10 PM

Re: wtmp

You may want to create a script and put it in cron to clean out the wtmp file. Something like this.

#! /bin/sh
>/var/adm/wmtp 1>&- 2>&-
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО04-11-2002 07:07 PM

тАО04-11-2002 07:07 PM

Re: wtmp

Like all Unix systems, the logfiles will grow without bounds. There is nothing wrong with the remsh filling up wtmp, in fact, it's important to know who is connecting to your system.

But you must manage all the logfiles all the time, a job for cron. First decide what information you must retain, then based on the rate at which the logfiles grow, a cron script will extract needed info, then copy the logfile, compress it and then zero the current logfile. You may want to keep 3 to 9 weeks of old logfiles for security and troubleshooting.

Logfiles you need to monitor in /var/adm:

wtmp btmp nettl.LOG00

and in /var/adm/syslog:

mail.log syslog.log

There are many others but their growth depends on what you are running on your system.


Bill Hassell, sysadmin
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

тАО04-11-2002 09:00 PM

тАО04-11-2002 09:00 PM

Re: wtmp

hi,

i regularly use SAM to manage my system logfiles.
->SAM Areas->Routine Tasks->System Log Files

Also, i have regular cronjobs that verify and trim some of them.

All you need is to identify these files and devise a strategy for verification and purging(automated or manual).

Best Regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.