HPE Community
Operating System - HP-UX
1824169 Members
3398 Online
109669 Solutions
New Discussion юеВ

Cleaning up utmp/wtmp/btmp/utmpx/wtmpx and maintaining integrity

 
SOLVED
Go to solution
Jack C. Mahaffey
Super Advisor

тАО09-08-2005 08:51 AM

тАО09-08-2005 08:51 AM

Cleaning up utmp/wtmp/btmp/utmpx/wtmpx and maintaining integrity

Yes, I know this has been talked about for a gazillion times. I'm not sure I've come across the best solution yet, however, that keeps 'who' and 'last' working correctly.

Good old wtmp continues to grow and grow. There are numerous suggestions to 1) Truncate/null/zero out the file or 2) Convert the file to ascii, trim some rows, convert the file back to binary and replace.

I recall having problems with both methods in the past because both the who and last commands did not always return the correct data so I ended up deciding to only null out the files when I reboot.

Well, I have a server that's been up for 360 days and I do not really want to reboot. File is 70 MB.

Has anybody ran into any tools or scripts that cleans up the files that also ensures that the currently logged in entries remain?

I'm really surprised that a tool or UNIX utility does not already exist.

Like I said earlier, zeroing out the files is not an option unless I reboot right after.

Thanks in advance.


jack...
0 Kudos
Reply
8 REPLIES 8
Raj D.
Honored Contributor

тАО09-08-2005 08:59 AM

тАО09-08-2005 08:59 AM

Solution

Re: Cleaning up utmp/wtmp/btmp/utmpx/wtmpx and maintaining integrity

Hi Jack ,

/var/adm/wtmp file gets bigger in size , though the others are not much bigger.

And it contains the last login data of user and accounting information . So you can copy it to other place , if you want and nullify the file .

# cd /var/adm/wtmp
# cp wtmp /otherplace
# > wtmp

Cheers,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
Reply
Raj D.
Honored Contributor

тАО09-08-2005 09:03 AM

тАО09-08-2005 09:03 AM

Re: Cleaning up utmp/wtmp/btmp/utmpx/wtmpx and maintaining integrity

Jack ,

Another safer method is :


# cd /var/adm
# cat /dev/null > wtmp
# cat /dev/null > btmp

Cheers,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Reply
Jack C. Mahaffey
Super Advisor

тАО09-08-2005 09:04 AM

тАО09-08-2005 09:04 AM

Re: Cleaning up utmp/wtmp/btmp/utmpx/wtmpx and maintaining integrity

Raj, as I mentioned in my post I believe we had problems before when we just zero out the file. Could I be thinking of the utmp file?


I remember the who command not working when we zeroed out the file.

jack...
0 Kudos
Reply
DCE
Honored Contributor

тАО09-08-2005 09:16 AM

тАО09-08-2005 09:16 AM

Re: Cleaning up utmp/wtmp/btmp/utmpx/wtmpx and maintaining integrity

Jack,

I know a lot of people will not use SAm on general principle, but there is selection in one of SAM menus to trim log files. You could go through the exercise in SAM and then look at the SAM log to get the exact commands.

Dave
0 Kudos
Reply
Rick Garland
Honored Contributor

тАО09-08-2005 09:18 AM

тАО09-08-2005 09:18 AM

Re: Cleaning up utmp/wtmp/btmp/utmpx/wtmpx and maintaining integrity

If you null these files then the commands will not return any values. The commands (such as 'who' or 'last') would still work but the files are 0 bytes.

A reboot is not required after null'ing the files.

Save off an ASCII version of the file(s). Then null the file. Issue the who or last command - the output should be nothing.

Convert the ASCII file back to binary format then issue the who or last command. Should get the output as expected as there is now data is these file(s)


wtmp - a system audit file
Stores the LAST info
Stored in BINARY format
to convert to ASCII, /usr/sbin/acct/fwtmp -X < wtmps > wtmps.rdg
this will store the data in ASCII format in the wtmps.rdg file
to convert to binary, usr/sbin/acct/fwtmp -ic < wtmps.rdg > wtmps
0 Kudos
Reply
Raj D.
Honored Contributor

тАО09-08-2005 09:25 AM

тАО09-08-2005 09:25 AM

Re: Cleaning up utmp/wtmp/btmp/utmpx/wtmpx and maintaining integrity

Hi Jack ,

You should not make the utmp file null.
This contains a record of all users logged onto the system. Its usually 1KB to 2KB in size.

And you can null other files wtmp and btmp , thats are grows and quite big and keeps records of login logout and , btmp( bad logins).

So if you make "/etc/utmp" null , who and last may not work correctly. And you need to reboot then . So be careful.


Cheers,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
Reply
Devender Khatana
Honored Contributor

тАО09-08-2005 04:54 PM

тАО09-08-2005 04:54 PM

Re: Cleaning up utmp/wtmp/btmp/utmpx/wtmpx and maintaining integrity

Hi,

Normally when only a few users are logged into the system then nulling out should not cause any problems in last command.

However with a uptime of 360 days the file size or 70MB for /var/adm/wtmp means the no. of users logging in are quite high.

You should try the same operation using
SAM-> Routine Tasks->System Log Files->Select /var/adm/wtmp and from actions Trim to Zero.

It does not show any errors in last command when I trimmed in using SAM.

Try the same and share the results.

HTH,
Devender
Impossible itself mentions "I m possible"
Reply
Bob_Vance
Esteemed Contributor

тАО09-12-2005 04:56 AM

тАО09-12-2005 04:56 AM

Re: Cleaning up utmp/wtmp/btmp/utmpx/wtmpx and maintaining integrity

There is no need to 'rm', 'mv', or truncate utmp -- it does not grow boundlessly. You *can* 'rm /etc/utmp, but you will lose your 'who' info, including 'who-r'. Anyone that logs in thereafter will be shown, but any prior users will not be shown. The first couple of entries are not just regular user entries and the file is kept open by 'init' and 'ptydaemon'. 'last' doesn't use utmp, but 'who' does.

You'll notice the /etc/utmp is a simple file in / (this would not be allowed by good design if it could grow large), while btmp and wtmp are actually symlinks into /var/adm, presumably anticipating possible boundless growth -- usually /var has plenty free space.


bv




"The lyf so short, the craft so long to lerne." - Chaucer
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.