topic Re: how to clean up /var/adm/wtmp and btmp log files in Operating System - HP-UX

how to clean up /var/adm/wtmp and btmp log files

Yan Wong — Tue, 14 Jan 2003 02:57:18 GMT

Hi folks,

My system is having a large file size for /var/adm/wtmp and /var/adm/btmp. As these are keeping records for login information, can I just empty the data content?

Any better commands on automation?

thanks in advance

Re: how to clean up /var/adm/wtmp and btmp log files

John Poff — Tue, 14 Jan 2003 03:04:14 GMT

Hi,

You can just null out those files like this:

cat /dev/null >/var/adm/wtmp
cat /dev/null >/var/adm/btmp

Here is a thread that talks about pruning the files, saving the information, and also automating the task:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xb9855220af9bd5118ff10090279cd0f9,00.html

JP

Re: how to clean up /var/adm/wtmp and btmp log files

Michael Tully — Tue, 14 Jan 2003 03:07:30 GMT

Hi,

You can place these in cron, or do them from the command line.

0 22 1 * * cat /var/adm/wtmp | /usr/sbin/acct/fwtmp > /tmp/ascii_wtmp
5 22 1 * * cat /tmp/ascii_wtmp | /usr/sbin/acct/fwtmp > /var/adm/wtmp

Have a look at the man page for 'fwtmp'

or

# cat /dev/null > /var/adm/wtmp
# cat /dev/null > /var/adm/btmp

HTH
Michael

Re: how to clean up /var/adm/wtmp and btmp log files

Bill Hassell — Tue, 14 Jan 2003 03:15:46 GMT

You can zero out the files but since they contain information about past, current and failed logins, you may want to scan them for abnormalities. The tools are last (for wtmp) and lastb (for btmp). Excessive failures to login (especially root) could be a security problem.

Once you scan (and extract) for useful info, you can zero out the files (they are binary so vi and ASCII tools won't work). Note that wtmp amd btmp are only good for one year as they do not have the year stored. If these files have data longer than one year, there will appear to be ghost sessions present.

Re: how to clean up /var/adm/wtmp and btmp log files

James R. Ferguson — Tue, 14 Jan 2003 03:23:18 GMT

Hi:

If for any reason you do not wish to log either successful logins ('/var/adm/wtmp') or unsuccessful ones (in 'var/adm/btmp') then remove the file(s).

The absence of a the file disables the corresponding logging. To re-enable the capture, recreate (touch) the appropriate file(s).

Regards!

...JRF...

Re: how to clean up /var/adm/wtmp and btmp log files

Sritharan — Tue, 14 Jan 2003 03:30:04 GMT

Hi,

you no need to empty the files , you just have to trim it down

# > /var/adm/wtmp

# > /var/adm/btmp

or

you can use sam

Routine Tasks -> System Log Files -> /var/adm/btmp and /var/adm/wtmp

here you can also trim other log files.

Thanks & regards
Sri

Re: how to clean up /var/adm/wtmp and btmp log files

Rajeev Shukla — Tue, 14 Jan 2003 03:34:05 GMT

You can null this files, but from practice i have seen its better to preserve these files for few weeks.
Best is to write a housekeeping script put it in the cron, which copies these files to some date stamp like btmp.14Jan2002 and then make them zero
> btmp
Also search for old files and keep deleting them.

Cheers
Rajeev

Re: how to clean up /var/adm/wtmp and btmp log files

T G Manikandan — Tue, 14 Jan 2003 05:03:47 GMT

http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000062904760
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000062908330

Re: how to clean up /var/adm/wtmp and btmp log files

Ravi_8 — Tue, 14 Jan 2003 06:07:27 GMT

Hi,

Yes you can empty the file.

to automate it you can place the command in crontab file to clean the files weekly or monthly.

Re: how to clean up /var/adm/wtmp and btmp log files

eran maor — Tue, 14 Jan 2003 09:16:27 GMT

Hi

you can clean them up with command line :
cat /dev/null >/var/adm/wtmp
cat /dev/null >/var/adm/btmp

SAM :

or you can go to SAM -> routine Task -> systel log files .

over there you can choose to trim any system log file that you want .

Re: how to clean up /var/adm/wtmp and btmp log files

bgwest — Fri, 14 Apr 2017 18:52:54 GMT

I'm familiar with the binary to ascii conversion (/var/adm/wtmp | /usr/sbin/acct/fwtmp) with tail to shrink the accounting files. What does '$ # > /var/adm/wtmp' actually do? Does it perform that conversion and shrink it to a set number of lines?

Re: how to clean up /var/adm/wtmp and btmp log files

Dennis Handly — Sat, 15 Apr 2017 21:55:11 GMT

>What does '# > /var/adm/wtmp' actually do?

Sets EOF to zero.

Re: how to clean up /var/adm/wtmp and btmp log files

bgwest — Mon, 17 Apr 2017 16:09:51 GMT

Dennis,

Thanks for the quick reply. Want to make sure I am understanding that correctly. Here are the results of use of this on ascii text file. Does it need to be binary for it to work? Can you point me to the correct man page?

+server$ vi trtest.txt
"trtest.txt" [New file]
is the end of file 0 now?
yes?
no?
checking
testing
checking
test...
~
(...)
"trtest.txt" [New file] 7 lines, 69 characters
+server$
+server$ awk '{print NR}' trtest.txt
1
2
3
4
5
6
7
+server$
+server$ # > trtest.txt
+server$ awk '{print NR}' trtest.txt
1
2
3
4
5
6
7
+server$ # > trtest.txt
+server$ awk 'END{print NR}' trtest.txt
7
+server$ file trtest.txt
trtest.txt:     ascii text
+server$

Thank you again,

Re: how to clean up /var/adm/wtmp and btmp log files

Dennis Handly — Mon, 17 Apr 2017 17:50:58 GMT

> +server$ # > trtest.txt

That "#" was an indication of root's prompt. In your use, remove it, otherwise it's a comment.

Re: how to clean up /var/adm/wtmp and btmp log files

bgwest — Mon, 17 Apr 2017 18:02:53 GMT

Silly misinterpretation on my end. Thanks for the clarification.

Re: how to clean up /var/adm/wtmp and btmp log files

bgwest — Mon, 04 Jun 2018 16:03:18 GMT

This year we ran into issues again with slow logins. This time I wrote a script to handle this every 6-months.

#!/usr/local/bin/bash
# wtmps / btmps - 6 month backup and trimming routine
# bgw 05/2018
#

liveFilesDir="/var/adm"
# fwtmp, wtmpfix - manipulate connect accounting records
ftwmpCmd=`/usr/lib/acct/fwtmp`
todaysDate=`date +%m%d%y`
backupDir="/logs_ext/login_files"

[[ ! -d "$backupDir" ]] &&
echo -e "\nBackup dir missing -- creating backup dir @$backupDir" &&
mkdir -p $backupDir

chown root:group $backupDir
chmod 750 $backupDir

# backup file names to write into ASCII format
wtmpFile="wtmp.$todaysDate"
wtmpsFile="wtmps.$todaysDate"
btmpFile="btmp.$todaysDate"
btmpsFile="btmps.$todaysDate"

# save each file records in ASCII format
cd $liveFilesDir
$ftwmpCmd < wtmp > $backupDir/$wtmpFile
$ftwmpCmd < wtmps > $backupDir/$wtmpsFile
$ftwmpCmd < btmp > $backupDir/$btmpFile
$ftwmpCmd < btmps > $backupDir/$btmpsFile

# ensure files are still with original permission state
chown adm:adm wtmp wtmps
chmod 664 wtmp wtmps

chown root:other btmp btmps
chmod 600 btmp btmps

# tar trimmed accounting files
tar -cvf $backupDir/acctfiles.$todaysDate.tar $backupDir/[wb]tmp*.$todaysDate*

# compress accounting files
gzip $backupDir/acctfiles.$todaysDate.tar

# now that we have a backup, null out the files
# I've found keeping records in only one file breaks the 'last' and 'lastb' commands
> wtmp
> wtmps
> btmp
> btmps

# if the ascii version of the files needed to be reverted back to binary
# this command can be used for that
# /usr/lib/acct/fwtmp -ic < /logs_ext/wtmps.05252018.tail100 > wtmps.new

I found that from all the suggestions, the best way is to backup and null out both files. Otherwise, the ‘last’ and ‘lastb’ commands break. After running this, both servers have fast logins and our accounting commands are fixed.

Thanks again to everyone’s info! Hopefully this helps someone get quickly on their way someday.