topic Re: How to purge btmp&wtmp under /var/adm? in Operating System - HP-UX

How to purge btmp&wtmp under /var/adm?

ericfjchen — Mon, 24 Jan 2005 01:40:31 GMT

Can we do '>btmp'?

Re: How to purge btmp&wtmp under /var/adm?

ericfjchen — Mon, 24 Jan 2005 01:41:02 GMT

It is HP-UX 10.20.

Re: How to purge btmp&wtmp under /var/adm?

Indira Aramandla — Mon, 24 Jan 2005 03:00:41 GMT

Hi Eric,

File btmp contains bad login entries for each invalid logon attempt. File wtmp contains a record of all logins and logouts.

wtmp and btmp tend to grow without bound, and should be checked regularly. Information that is no longer useful should be removed periodically to prevent it from becoming too large.

You can use sam to trim the logs. Sam--Ã Routine Tasks---Ã System Log Files-----select /var/adm/wtmp and /var/admbtmp then from Action menu select trim to zero.

Note:- If these files are removed, record-keeping is turned off. Before triming the logs if you want to make a record of the incorrect / bad logins you can use fwtmp which reads from the wtmp file converting binary records to formatted ASCII records.

Indir

Re: How to purge btmp&wtmp under /var/adm?

Yogeeraj_1 — Mon, 24 Jan 2005 03:13:08 GMT

hi,

as Indira mentioned above, unless you want to keep the information contained in these files, you may trim them to zero.

you can also do:
cat /dev/null > /var/adm/btmp

hope this helps!

regards
yogeeraj

Re: How to purge btmp&wtmp under /var/adm?

Fred Ruffet — Mon, 24 Jan 2005 03:22:28 GMT

"man runacct" and "man 1M acct" should be a good start. Rather than losing accounting information, you can log it.

Regards,

Fred

Re: How to purge btmp&wtmp under /var/adm?

Jannik — Mon, 24 Jan 2005 03:49:10 GMT

Hey,

When the file i becomming to big, I usally make a bakup of the file and then:
/usr/sbin/acct/fwtmp < /var/adm/btmp > /var/tmp/btmp.tmp
tail -n -2048 /var/tmp/btmp.tmp >/var/tmp/btmp.tmp1
/usr/sbin/acct/fwtmp -ic < /var/tmp/btmp.tmp1 > /var/adm/btmp

This will keep the most resent data. The commad lastb is the one using btmp, often you are able to see password of other users in the file, but thats another story, but make sure only root is able to read/write the file:
-rw------- 1 root other 1024 Dec 30 14:36 btmp

Re: How to purge btmp&wtmp under /var/adm?

Shannon Petry — Mon, 24 Jan 2005 11:39:30 GMT

The safest thing to do is run accounting, which will re-create these files. This includes fixing permissions and corruptions that can occur with these files.

It's actually a great practice, though under utilized, to run system accounting. Read the man pages for runacct for more information.

Basics:
/usr/sbin/acct/turnacct on

vi /etc/acct/holidays
# Make sure the year is correct

/usr/sbin/acct/runacct

If you do not plan to maintain accounting then run:
/usr/sbin/acct/turnacct off

If you plan to maintain system accounting, vi /etc/rc.config.d/acct and set the variable to 1 so that accounting starts at system boot.

Regards,
Shannon

Re: How to purge btmp&wtmp under /var/adm?

Geoff Wild — Mon, 24 Jan 2005 14:56:53 GMT

Sure - you can do a

> btmp

or cp /dev/null > btmp

Or use sam

Tip:
Want to know what SAM does?
Run '/usr/sam/bin/samlog_viewer' and see what commands SAM ran.
Or you can 'view' /var/sam/log/samlog to search for yourself.

Rgds...Geoff

Re: How to purge btmp&wtmp under /var/adm?

Geoff Wild — Mon, 24 Jan 2005 14:59:42 GMT

Another thing you can do is, install logrotate:

http://hpux.ee.ualberta.ca/hppd/hpux/Sysadmin/logrotate-2.5/

# cat logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 5

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here
/var/adm/wtmp {
monthly
create 0664 adm adm
rotate 1
}

Rgds...Geoff