HPE Community
Operating System - HP-UX
1833750 Members
2364 Online
110063 Solutions
New Discussion

Re: wtmp corrupt

 
Jag_13
New Member

‎10-11-2005 07:34 AM

‎10-11-2005 07:34 AM

wtmp corrupt

Hi Friends ,
We have encountered some un-wanted logins to one of our server , From the sulog , I can identify the user ,but I want to get the logout time of the user .
The problem i am facing is that The /var/adm/wtmp file is about 200MB and while issuing "last" command it is giving core dump error .

What I did :
I used ( /usr/sbin/acct/fwtmp ) to get a ASCII version of the wtmp file and then found the below line on the ASCII generated file .
Below mentioned is on a single line , when pasting here it is coming on two lines .

1932421231 25390 66141 72164 182203712 Oct 10 20:08:32 1975 51.51.0.0 adminuser

Questions :
1) What are the fields indicate ?
2) What is the 1975 indicate , it is not definately the year .
Is there any other way to get the logout times of the users .
or can i slice this wtmp file and do a last -f ( sliced files ) wil it work ?

Thanks in advance ...
0 Kudos
Reply
2 REPLIES 2
Pat Lieberg
Valued Contributor

‎10-11-2005 07:53 AM

‎10-11-2005 07:53 AM

Re: wtmp corrupt

You are probably seeing 1975 because wtmp is a binary file and when you converted it to ascii, the corrupted line was interpreted as 1975. Just a best guess.

I've never tried to read a sliced file, so am not sure of the results.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎10-11-2005 08:01 AM

‎10-11-2005 08:01 AM

Re: wtmp corrupt

Hi Jaq:

I'm not positive about the order of the fields in the decoded file, but you can get a sense by looking at '/usr/include/utmp.h'.

The value of 182203712 is the epoch seconds equating to Oct 10, and that does equate to the year 1975. Your file is probably corrupt, so take things as they are. The string of '51.51.0.0' appears to be a network address.

Regards!

...JRF...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.