topic decode contents of wtmp file in Operating System - HP-UX

decode contents of wtmp file

NDO — Thu, 01 Mar 2012 14:19:42 GMT

I am trying to use the command last and lastb to check on successfull and unsuccessfully logings, and I got the following result>

#last -R 10
Invalid record size. Unable to continue ...

and

lastb -R 10

BTMPS_FILE begins at Fri Dec 31 07:45:40

So I search on this forums and I found the following post:

http://h30499.www3.hp.com/t5/System-Administration/last-command-amp-wtmps/td-p/4615210

In this post Robert Jan come up with a solution, but I woud like to understand the contents of the files, like the output of the :

/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.tmp

I edit the file /tmp/wtmp.tmp and I found this:

esmd     esmd               2877 5 0000 0000 1254490132 Oct 2 15:28:52 2009
cimserve cim1               2878 5 0000 0000 1254490132 Oct 2 15:28:52 2009
sh       ems3               2879 5 0000 0000 1254490132 Oct 2 15:28:52 2009
sh       ems3               2879 8 0000 0000 1254490132 Oct 2 15:28:52 2009
p_client ems4               2882 5 0000 0000 1254490132 Oct 2 15:28:52 2009
icapd    icap               2883 5 0000 0000 1254490132 Oct 2 15:28:52 2009
utild    util               2884 5 0000 0000 1254490132 Oct 2 15:28:52 2009
krsd     krsd               2874 8 0011 0000 1254495221 Oct 2 16:53:41 2009
krsd     krsd               8950 5 0011 0000 1254495221 Oct 2 16:53:41 2009
utild    util               2884 8 0011 0000 1254495221 Oct 2 16:53:41 2009

Can someone explain what this means?

Regards

Re: decode contents of wtmp file

Dennis Handly — Thu, 01 Mar 2012 20:59:20 GMT

>/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.tmp

You should be looking a wtmps, not wtmp. And you may need to use -X.

>I edit the file /tmp/wtmp.tmp and I found this:

All the way through or just after awhile?

Re: decode contents of wtmp file

NDO — Fri, 02 Mar 2012 06:56:23 GMT

I did use the -X but I had a successfully output when using lastb -X, and I had the same error when using last -X, which was :

last -X
Invalid record size. Unable to continue ...

Now when using :

>/usr/sbin/acct/fwtmps < /var/adm/wtmps > /tmp/wtmps.tmp

the contents of wtmps.tmp are:

13135 0 0000 63164 825438515 Feb 27 18:28:35 1996 127.255.214.224 5
                           2004842672 0 0000 0000 7 Jan 1 02:00:07 1970
                            808463924 11825 32000 0000 0 Jan 1 02:00:00 1970 0.0.0.1
                               0 0 0000 0000 0 Jan 1 02:00:00 1970 119.120.204.224
                               0 0 0000 0000 0 Jan 1 02:00:00 1970
                           -1065708960 0 0000 0000 0 Jan 1 02:00:00 1970 114.111.111.116
                               0 0 0000 0000 0 Jan 1 02:00:00 1970
                               0 0 0000 0000 0 Jan 1 02:00:00 1970
                               0 0 0000 0000 0 Jan 1 02:00:00 1970
                               0 0 0000 0000 0 Jan 1 02:00:00 1970
                           1718906980 12595 31465 34000 0 Jan 1 02:00:00 1970 127.255.214.228

                           -1073741824 0 1611 0000 0 Jan 1 02:00:00 1970
                               0 0 0000 0000 0 Jan 1 02:00:00 1970
                               0 0 0000 0000 0 Jan 1 02:00:00 1970 119.120.204.224
              `                0 0 0000 0016 0 Jan 1 02:00:00 1970
                               0 0 0000 0000 0 Jan 1 02:00:00 1970
                               0 0 0000 0000 0 Jan 1 02:00:00 1970
                               0 0 0000 0000 0 Jan 1 02:00:00 1970
                               0 0 0000 0000 0 Jan 1 02:00:00 1970
                            939589631 0 0000 0000 0 Jan 1 02:00:00 1970

Its a big file

regards

Fernando

Re: decode contents of wtmp file

NDO — Fri, 02 Mar 2012 07:08:40 GMT

Will it be possible to also list the IP´s of the pc/laptops that connected into the system successfully and those that did not managed to login?

regards

Fernando

Re: decode contents of wtmp file

Matti_Kurkela — Fri, 02 Mar 2012 08:28:23 GMT

You can find a description of the contents of the wtmp and wtmps files in the system man pages: please run "man 4 wtmp" and "man 4 wtmps", respectively.

The output of the fwtmp/fwtmps commands should normally be similar to the actual wtmp/wtmps file structure, but with all the binary fields translated into human-readable ASCII.

However, the error message "invalid record size" from the "last" command and the confused-looking contents of your wtmps.tmp file (Dates for year 1970?? Loopback IP addresses like 127.255.214.224???) suggest that your wtmps file was corrupted at some point.The corruption would cause the fwtmps tool to go out of sync with the entries and mis-interpret them.

If you want to extract meaningful information from the file, you may have to find the corrupted entry/entries in your original binary wtmps file and remove them (probably with some hex editor) and then re-run the file through the fwtmps command.

If the wtmps file is large, finding and recognizing the corrupted entries may be a difficult and tedious job.

Re: decode contents of wtmp file

NDO — Fri, 02 Mar 2012 09:12:54 GMT

Thank you for the explanation. The file is huge, I really need to find who logged in the last 20 days (their IP addresses)

regards

Re: decode contents of wtmp file

Dennis Handly — Fri, 02 Mar 2012 21:23:11 GMT

>I had the same error when using last -X, which was: Invalid record size. Unable to continue

The error won't go away since the file has been corrupted. You could use tusc to see how much of the file is bad.

>Now when using: /usr/sbin/acct/fwtmps < /var/adm/wtmps > /tmp/wtmps.tmp

>the contents of wtmps.tmp are:

13135 0 0000 63164 825438515 Feb 27 18:28:35 1996 127.255.214.224 5

Here you may have to use -X? The output seems bad at the start.

>The file is huge, I really need to find who logged in the last 20 days (their IP addresses)

You might want to look at some other topics with problems with wtmps and using dd(1) to fix them:

http://h30499.www3.hp.com/t5/System-Administration/who-r-not-working/m-p/5165196/

http://h30499.www3.hp.com/t5/System-Administration/last-returns-no-login-info/m-p/5269768/

What does "ll /var/adm/wtmps" show? You might be able to get the data at the end of the file.

Re: decode contents of wtmp file

NDO — Mon, 05 Mar 2012 12:11:51 GMT

I did try to use -X, but I had to cancel with ctrl + c because I had no response after quite a while.

>What does "ll /var/adm/wtmps" show? You might be able to get the data at the end of the file

it shows:

-rw-rw-r-- 1 adm adm 5770232 Mar 5 08:57 /var/adm/wtmps

it looks like the file has been writen to it. I will try and use the last 1000 lines of the wtmps file to read from it!!

regards

Re: decode contents of wtmp file

Dennis Handly — Tue, 06 Mar 2012 05:13:13 GMT

>I did try to use -X, but I had to cancel with control + c because I had no response after quite a while.

I have to use -X for 11.23 and 11.31 when using fwtmp(1m):

/usr/sbin/acct/fwtmp < /var/adm/wtmps

If you use tusc on last(1), you'll see this pattern before it aborts:

[11273] open("/var/adm/wtmps", O_RDONLY, 0) .............. = 4

...

[11273] read(4, "\0\00288", 4) ........................... = 4
[11273] lseek(4, 652, SEEK_SET) .......................... = 652
[11273] read(4, "\0\00288", 4) ........................... = 4
...

Now it prints it out by going backwards:
[11273] lseek(4, 67051684, SEEK_SET) ..................... = 67051684
[11273] read(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0".., 648) = 648

>-rw-rw-r-- 1 adm adm 5770232 Mar 5 08:57 /var/adm/wtmps

>I will try and use the last 1000 lines of the wtmps file to read from it.

The file is binary, there are no lines. You'll need to use dd(1) to copy from the end:

#!/usr/bin/ksh

# Dump out last 20 records of wtmps file

WTMP=/var/adm/wtmps

typeset -i wtmpsize=$(ll $WTMP | awk '{print $5 }')
typeset -i wtmprecord=$((648+4))
typeset -i wtmpdump=$((wtmprecord * 20))

echo "$wtmprecord: $((wtmpdump))"

# Add -v to not suppress duplicate lines
xd -tx4 -tc -j $(($wtmpsize - wtmpdump)) -N $((wtmpdump)) $WTMP

dd if=$WTMP of=wtmps.short bs=1 count=$wtmpdump skip=$(($wtmpsize - wtmpdump))

(You can comment out the xd(1) command if you aren't interested in the raw file format.)

And once you get wtmps.short you can check with:
$ /usr/sbin/acct/fwtmp -X < wtmps.short

And use last(1) to format it:
$ last -R -X -f wtmps.short

Re: decode contents of wtmp file

NDO — Tue, 06 Mar 2012 09:44:03 GMT

It worked out fine, (your script), but only a few records, I am really interested who logged in in mid January and February. Would it be possible to change your script to give that kind of output?

regards

Re: decode contents of wtmp file

Dennis Handly — Tue, 06 Mar 2012 09:58:24 GMT

>Would it be possible to change your script to give that kind of output?

Of course. The script documents what it does. If you want more than 20 records, just change the "20".

Re: decode contents of wtmp file

DBurton30 — Thu, 08 Mar 2012 17:13:40 GMT

With this being my first attempt to answer a question since the big change (old forums style to new), I hope this makes some sense, is readable, etc.

In the favorite sys admin scripts area:

http://h30499.www3.hp.com/t5/System-Administration/favorite-sysadmin-scripts-you-always-keep-around-2/m-p/4846799#M394272

A pretty smart guy named Kevin Tuitt put together a script to gather "last" data. That's if you have a good wtmp, etc. file(s). I think his file was called "audit". The above link, assuming it works, will get you to the spot. I can't see how to download the file in this forum but I'm sure there is a way.

Anyway, I use something like it which does basically:

TEMPDIR="/tmp"     ### A nice place to put files.
lastb    | sort > $TEMPDIR/lastbfile &
lastb -R | sort > $TEMPDIR/lastbrfile &
last     | sort > $TEMPDIR/lastfile   &
last -R | sort > $TEMPDIR/lastrfile

You can get login ID's, computere names or IP's (depends on your DNS settings I suppose), etc. Perhaps this can help you once your file(s) in question get fixed?

Re: decode contents of wtmp file

NDO — Fri, 09 Mar 2012 07:33:22 GMT

Hi!

Since the original wtmps file is corrupted can I use the command:

cat /dev/null > /var/adm/wtmps

to clear the contenst of wtmps and start from fresh?

regards

Re: decode contents of wtmp file

Dennis Handly — Fri, 09 Mar 2012 08:05:42 GMT

>can I use the command to clear the contents of wtmps and start from fresh?

Sure but your current file has useful info, if you want to spend time getting at it. I.e. make a copy first.

Also, you can just clear it with: > /var/adm/wtmps

Re: decode contents of wtmp file

NDO — Fri, 09 Mar 2012 08:46:24 GMT

Yes it does, but only from february this year and I have already made a copy of it.

regards