wtmp and btmp.

Regular Advisor

wtmp and btmp.


Our systems are having large wtmp and moderate btmp files.

I would like to copy them to another machine and then give >wtmp and >btmp (null out the files)

What are the implication on doing this. I know this can be done without any problem but still wants to check with you people.

Respected Contributor

Re: wtmp and btmp.

Hi Nair,

Its ok to remove wtmp and btmp. These are for record keeping only. Also you can recreate them.

for wtmp

#touch /var/adm/wtmp
#chmod 664 /var/adm/wtmp
#chown adm:adm /var/adm/wtmp

for btmp

#touch /var/adm/btmp
#chmod 640 /var/adm/wtmp
#chown adm:adm /var/adm/wtmp

Hope that helps.


A. Clay Stephenson
Acclaimed Contributor

Re: wtmp and btmp.

The preferred way to do this is to use fwtmp to read the file and convert it to text. You then run awk, sed, or Perl against the text file throwing away records older than n days and then call fwtmp again to rewrite the text as binary. That's a better alternative than simply nulling out the file because you never now when it might be nice to look at the data. You might also save the purged entries to a log and replace the existing log each time the btmp_wtmp script is run. This make a nice little cronjob. Man fwtmp for details.
If it ain't broke, I can fix that.
Indira Aramandla
Honored Contributor

Re: wtmp and btmp.

Hi Nair,

btmp and wtmp files holds user and accounting information

btmp file contains bad login entries for each invalid logon attempt. File wtmp contains a record of all logins and logouts.

These files tend to grow without bound, and should be checked regularly. Information that is no longer useful should be removed periodically to prevent it from becoming too large.

You can use sam to trim the logs. Sam--Routine Tasks---System Log Files-----select /var/adm/wtmp and /var/admbtmp then from Action menu select trim to zero.

Note:- If these files are removed, record-keeping is turned off. Before triming the logs if you want to make a record of the incorrect / bad logins you can use fwtmp which reads from the wtmp file converting binary records to formatted ASCII records.

Also note that wtmp and btmp are not created by the programs that maintain them. Thus, if these files are removed, record-keeping is turned off.

fwtmp reads from the standard input and writes to the standard output, converting binary records of the type found in wtmp to formatted ASCII records. The ASCII version is useful to enable editing, via ed(1), bad records or general purpose maintenance of the file.

Indira A
Never give up, Keep Trying
Fred Ruffet
Honored Contributor

Re: wtmp and btmp.

You can use such a line in crontab :
00 23 * * 6 /usr/lib/acct/runacct 2>/usr/adm/acct/nite/fd2log

It will move those files content to accountting information in /var/adm/acct directory.



"Reality is just a point of view." (P. K. D.)
Peter Godron
Honored Contributor

Re: wtmp and btmp.

as all the above answers but please be aware thta you lose the login info, so things like who etc. may give yu bad results for a while.
I do like A. Clay Stephenson's suggestion.