HPE Community
Operating System - HP-UX
1752577 Members
4602 Online
108788 Solutions
New Discussion юеВ

Re: last returns no login info

 
SOLVED
Go to solution
Michael Sillers
Trusted Contributor

тАО01-13-2011 07:40 AM

тАО01-13-2011 07:40 AM

last returns no login info

I am trying to use the last command and it returns only "wtmp begins Sat Feb 28 08:04". lastb seems to return into from this file (lastb -f /var/adm/wtmp) but it doesn't look right. Does anyone have any ideas how I can get the last login info?

Thanks.
0 Kudos
14 REPLIES 14
Rita C Workman
Honored Contributor

тАО01-13-2011 07:44 AM

тАО01-13-2011 07:44 AM

Solution

Re: last returns no login info

They may be corrupt. You could null them out...

> /var/adm/wtmp
> /var/adm/btmp

You didn't mention O/S version, so if it's 11.23 or 11.31 just make it wtmps/btmps

Regards,
Rita
0 Kudos
Mel Burslan
Honored Contributor

тАО01-13-2011 07:46 AM - last edited on тАО11-10-2011 09:19 AM by

тАО01-13-2011 07:46 AM - last edited on тАО11-10-2011 09:19 AM by

Re: last returns no login info

check the file sizes of wtmp and btmp files. if they are zero or close to zero, most probably they were not logging data for a while and what is inside these files (they are binary files and need additional applications to be read, not ascii text. Keep this in mind) is not of any use. If this is the case, just re-create the files with :

> wtmp
> btmp

commands. If you think that there still is some valuable data in them that you want to hang on to, please follow instructions of Robert Jan Gosseens in the following old post:

http://h30499.www3.hp.com/t5/System-Administration/corrupted-btmp-wtmp/m-p/3124344#M151595

 

hope this helps

________________________________
UNIX because I majored in cryptology...
0 Kudos
Michael Sillers
Trusted Contributor

тАО01-13-2011 09:03 AM

тАО01-13-2011 09:03 AM

Re: last returns no login info

Thanks for the responses. That got them last working again. fwtmp gives some info but a lot of gibberish so I don't think it will be useful. There are dates ranging from 1910 to 1970 which isn't particularly useful. Strange though - the same thing happened on two servers. Can anyone suggest a way to prevent this from happening?
0 Kudos
Mel Burslan
Honored Contributor

тАО01-13-2011 09:45 AM

тАО01-13-2011 09:45 AM

Re: last returns no login info

My advice would be taking nightly backup copies of these files and comparing making sure, every morning when you report to work, these files are still in good condition by running last and lastb commands. When you have a failure, you can go back to the file from a night ago, at the same time, investigate what happened and who messed with these files.

Unless they got huge (in the order of gigabytes) they do not get corrupted by themselves. Usually someone who doesn't really know what he or she is doing, who heard the login info kept in these files, trying to cover their tracks when they did something bad, might mess with the file assuming it is an ascii file, by trying to edit it with vi and saving it while in vi, end up corrupting the file.

Make sure you keep one or two day's worth of copies of these two files somewhere obscure and make sure their sizes don't get too big. Then you should be in good shape.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО01-14-2011 03:33 AM

тАО01-14-2011 03:33 AM

Re: last returns no login info

If you haven't nulled out the file, you might be able to recover the info. How important is it?
0 Kudos
Michael Sillers
Trusted Contributor

тАО01-14-2011 06:05 AM

тАО01-14-2011 06:05 AM

Re: last returns no login info

It would be nice to be able to recover the information. I have nulled it but not before making a backup.
0 Kudos
Michael Sillers
Trusted Contributor

тАО01-14-2011 06:08 AM

тАО01-14-2011 06:08 AM

Re: last returns no login info

I've just checked and the new file seems to have gone corrupt since I nulled it yesterday. I've attached a copy of the file in case anyone wants to take a look.
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО01-15-2011 02:23 AM

тАО01-15-2011 02:23 AM

Re: last returns no login info

>I've attached a copy of the file

This is a binary file. How did you attach it?
Using xd(1) I see \r \n as if the file was sent to Windows as a text file, inserting CR before LF.
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО01-15-2011 02:25 AM

тАО01-15-2011 02:25 AM

Re: last returns no login info

You neglected to mention your HP-UX version. it seems you are on 11.11 and you attached /var/adm/wtmp?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.