>I did try to use -X, but I had to cancel with control + c because I had no response after quite a while.
I have to use -X for 11.23 and 11.31 when using fwtmp(1m):
/usr/sbin/acct/fwtmp < /var/adm/wtmps
If you use tusc on last(1), you'll see this pattern before it aborts:
[11273] open("/var/adm/wtmps", O_RDONLY, 0) .............. = 4
...
[11273] read(4, "\0\00288", 4) ........................... = 4
[11273] lseek(4, 652, SEEK_SET) .......................... = 652
[11273] read(4, "\0\00288", 4) ........................... = 4
...
Now it prints it out by going backwards:
[11273] lseek(4, 67051684, SEEK_SET) ..................... = 67051684
[11273] read(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0".., 648) = 648
>-rw-rw-r-- 1 adm adm 5770232 Mar 5 08:57 /var/adm/wtmps
>I will try and use the last 1000 lines of the wtmps file to read from it.
The file is binary, there are no lines. You'll need to use dd(1) to copy from the end:
#!/usr/bin/ksh
# Dump out last 20 records of wtmps file
WTMP=/var/adm/wtmps
typeset -i wtmpsize=$(ll $WTMP | awk '{print $5 }')
typeset -i wtmprecord=$((648+4))
typeset -i wtmpdump=$((wtmprecord * 20))
echo "$wtmprecord: $((wtmpdump))"
# Add -v to not suppress duplicate lines
xd -tx4 -tc -j $(($wtmpsize - wtmpdump)) -N $((wtmpdump)) $WTMP
dd if=$WTMP of=wtmps.short bs=1 count=$wtmpdump skip=$(($wtmpsize - wtmpdump))
(You can comment out the xd(1) command if you aren't interested in the raw file format.)
And once you get wtmps.short you can check with:
$ /usr/sbin/acct/fwtmp -X < wtmps.short
And use last(1) to format it:
$ last -R -X -f wtmps.short
