HPE Community
Operating System - HP-UX
1834722 Members
2672 Online
110069 Solutions
New Discussion

last command shows the user even though user has logged out

 
maheswaran
New Member

‎08-29-2007 05:30 AM

‎08-29-2007 05:30 AM

last command shows the user even though user has logged out

The "last" command which show the last users being logged into the server is showing users still logged in while there are not.could you pls anyone update me whether any fix is avaliable to solve this time.
0 Kudos
Reply
5 REPLIES 5
A. Clay Stephenson
Acclaimed Contributor

‎08-29-2007 05:40 AM

‎08-29-2007 05:40 AM

Re: last command shows the user even though user has logged out

Last and who should be thought of as the system's "best guess" because they are based upon utmp and wtmp entries. You can use the fwtmp andor wtmpfix to repair the files. In the case of fwtmp you read the file out in ASCII format, edit it, and read your ASCII file to recreate the binary file. Man fwtmp for deatils.

I consider this pretty much a waste of time because using who/last to determine users on the systems is not very reliable --- and this applies to all flavors of UNIX. The process table (ps) is really the reliable method.
If it ain't broke, I can fix that.
0 Kudos
Reply
skt_skt
Honored Contributor

‎08-29-2007 06:46 AM

‎08-29-2007 06:46 AM

Re: last command shows the user even though user has logged out

Try this way if at all you want to try the fix.Keep in mind that the month end is near; You may try this later eevn though this is a tested procedure

1. Ensure that the wtmp file is not corrupt by running a last on your user id:

# last ` who am i `

2. Convert the wtmp file to ascii into a file system that has sufficient space:

# cat /var/adm/wtmp | /usr/sbin/acct/fwtmp > /tmp/ascii_wtmp

3. Determine the number of lines in the ascii file, take 10% of that value, and subtract that from total number of lines:

# lines=`cat /tmp/ascii_wtmp | wc -l`;lines2=`expr $lines / 10`; export lines3=`expr $lines - $lines2`;echo $lines3

4. Start the ascii file from the line number given as output from the above command:

# awk ' ( NR > '$lines3' ) ' /tmp/ascii_wtmp > /tmp/ascii_wtmp2

5. Convert the trimmed ascii file back to binary in place of the original wtmp:

# cat /tmp/ascii_wtmp2 | /usr/sbin/acct/fwtmp -ic > /var/adm/wtmp

6. Verify that the operation was successful

# ll /var/adm/wtmp

# last ` who am i `


0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎08-29-2007 07:34 AM

‎08-29-2007 07:34 AM

Re: last command shows the user even though user has logged out

Shalom,

As noted who and derivitives are m much better.

Note that if you never trim your wtmp file, it can get bit and make the chances of a false reading like this go up.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
whiteknight
Honored Contributor

‎08-29-2007 02:42 PM

‎08-29-2007 02:42 PM

Re: last command shows the user even though user has logged out

Hi Maheswaran,

You may backup the btmp and wtmp files so you would have the login information
and then remove these files from the system. It is recommended to first see
how fast the files grow, and then schedule a cron job to backup and trim the
files.

wtmp and btmp can be zeroed out using the following:

cat /dev/null > /var/adm/wtmp
cat /dev/null > /var/adm/btmp

Rather than using the commands: rm, touch, chmod, chown, chgrp in order to
create an empty file, the cat /dev/null technique retains all the
characteristics of the old file. Note that zeroing /var/adm/wtmp on a running
system may cause errors to be reported from the who command. These
errors are caused by who not finding the users currently logged in.
The best way to trim /var/adm/wtmp is to do it in single user mode. Do not
zero the /etc/utmp...this is done automatically.

or
You can also use
SAM -> Routine Tasks -> System Log Files
to trim wtmp, btmp and other log files.


WK
please assign points
Problem never ends, you must know how to fix it
0 Kudos
Reply
MarkSyder
Honored Contributor

‎08-29-2007 07:16 PM

‎08-29-2007 07:16 PM

Re: last command shows the user even though user has logged out

If you like shortcuts:

> /var/adm/wtmp

does exactly the same as cp /dev/null etc.

Mark Syder (like the drink but spelt different)
The triumph of evil requires only that good men do nothing
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.