HPE Community
Operating System - HP-UX
1830643 Members
3141 Online
110015 Solutions
New Discussion

wtmp error

 
ahlan
Advisor

‎12-02-2008 01:29 AM

‎12-02-2008 01:29 AM

wtmp error

My last command only shows details of logins from last month.

Check on the timestamp shows that the wtmp file was just edited as I login to the server. I tried wtmpfix and got an error. How do I proceed from here?

#wtmpfix < /var/adm/wtmp
Bad file at offset 1712100


0 Kudos
Reply
7 REPLIES 7
Prasu
Frequent Advisor

‎12-02-2008 01:38 AM

‎12-02-2008 01:38 AM

Re: wtmp error

Hi,

Check whether the wtmp has been flushed before one month ?

Also chec this

# strings wtmp | more


Regards
Prasu
0 Kudos
Reply
ahlan
Advisor

‎12-02-2008 01:42 AM

‎12-02-2008 01:42 AM

Re: wtmp error

Hi Prasu,

wtmp was not flushed.
I get records from Feb till Nov 23rd. I tried logging in and out and the file size increases and time stamp changes.

But when I did a last the latest record was only on 23rd Nov.

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎12-02-2008 02:31 AM

‎12-02-2008 02:31 AM

Re: wtmp error

>My last(1) command only shows details of logins from last month.

So how much time are you willing to spend to fix it?

>Check on the timestamp shows that the wtmp file was just edited as I login to the server. I tried wtmpfix and got an error. How do I proceed from here?

How much is this worth, compared to fiddling with it?
Why not toss it and use the backup wtmp?
$ who /var/adm/wtmp
$ last -f /var/adm/wtmp
$ /usr/sbin/acct/fwtmp -X < /var/adm/wtmps
$ /usr/sbin/acct/fwtmp < /var/adm/wtmp
0 Kudos
Reply
ahlan
Advisor

‎12-02-2008 04:52 AM

‎12-02-2008 04:52 AM

Re: wtmp error

Hi Dennis,

It is really worth as much time as I can have to troubleshoot it. Not that I would want to but with an auditor rushing down my neck you think I have a choice?
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎12-02-2008 09:40 PM

‎12-02-2008 09:40 PM

Re: wtmp error

>It is really worth as much time as I can have to troubleshoot it.

Have you tried any of my 4 suggestions?
Also what OS version are you using? 11.11 doesn't have wtmps.

>Not that I would want to but with an auditor rushing down my neck you think I have a choice?

I was wondering if it is worth paying something like a data recovery service for bad disks?

Not that fixing your wtmp files is that hard.

Are you saying you are missing from Nov 23 to today?
0 Kudos
Reply
ahlan
Advisor

‎12-02-2008 10:14 PM

‎12-02-2008 10:14 PM

Re: wtmp error

Hi Dennis,

I am running 11.11 and yes I can't see and logins from Nov 23 till today.

below are the outputs I got from you commands.

$ who /var/adm/wtmp (last line)
oracle92 ftpd17498 Nov 23 20:01

$ last -f /var/adm/wtmp (first line)
oracle92 ftp Sun Nov 23 20:01 - 20:01 (00:00)

$ /usr/sbin/acct/fwtmp < /var/adm/wtmp (last few lines)
031 0.8.0.0 pts/tc
0 28530 60543 66145 805306368 Jul 10 00:12:48 1995 0.8.0.0 pts/0
0 28530 60543 66145 1718906880 Jun 21 02:08:00 2024 0.7.0.0 ftpd15442
nagi os 0 0 0000 0000 1718906880 Jun 21 02:08:00 2024 0.8.0.0 ftpd15442
0 19535 43511 47000 1952645120 Nov 17 09:25:20 2031 0.6.0.0 pts/tc
nagi os 174338829 24932 71151 60556 1952645120 Nov 17 09:25:20 2031 0.7.0.0 pts/tc

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎12-03-2008 02:44 AM

‎12-03-2008 02:44 AM

Re: wtmp error

>below are the outputs I got from your commands.

Both who(1) and last(1) stop when they get to the file corruption.

The fwtmp output seems to be bad. Did it increment smoothly until Nov 23, then repeat bad dates where it has July, then June?

It appears there is a problem in the file, probably at offset 1712100?

You would have to get a hex/ascii dump of the file and analyze the pattern. Do you know any C programming?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.