HPE Community
Operating System - HP-UX
1755538 Members
4023 Online
108834 Solutions
New Discussion юеВ

wtmps file size

 
SOLVED
Go to solution
msaygak
Frequent Advisor

тАО04-16-2010 02:57 AM

тАО04-16-2010 02:57 AM

wtmps file size

hello!
I have wtmps file about 1,5G size, but 'last' command shows only about 150 entries. Why it so big?
0 Kudos
Reply
7 REPLIES 7
msaygak
Frequent Advisor

тАО04-16-2010 03:01 AM

тАО04-16-2010 03:01 AM

Re: wtmps file size

'strings' command shows a lot of 'dev/' strings. on other systems there are many different information in this file.
0 Kudos
Reply
Suraj K Sankari
Honored Contributor

тАО04-16-2010 03:04 AM

тАО04-16-2010 03:04 AM

Re: wtmps file size

Hi,

what is the output of
last -R

To nullify wtmp dont delete and recreate use
>wtmp

Suraj
0 Kudos
Reply
msaygak
Frequent Advisor

тАО04-16-2010 03:07 AM

тАО04-16-2010 03:07 AM

Re: wtmps file size

last -R shows mostly the same as last.
I've found possible reason of fast growing of wtmps -- system makes a lot of sftp connections, which possibly logged into wtmps.

How to prohibit sftp sessions logging?
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО04-16-2010 03:09 AM

тАО04-16-2010 03:09 AM

Re: wtmps file size

>but last(1) command shows only about 150 entries. Why it so big?

Perhaps it is corrupted because you ran out of space once and last(1) stops too soon?
0 Kudos
Reply
msaygak
Frequent Advisor

тАО04-16-2010 03:33 AM

тАО04-16-2010 03:33 AM

Re: wtmps file size

it's not corrupted. I think, last shows only sessions, which requested shell. Incoming sftp sessions doesn't request shell, so last don't show them.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО04-16-2010 04:06 AM

тАО04-16-2010 04:06 AM

Solution

Re: wtmps file size

Almost all the log files in HP-UX grow without bounds which means you must regularly look at /var/adm and /var/adm/syslog and also summarize the directories in /var like this:

du -kx /var | sort -rn | head -20

When a particular directory grows too large, cd to the directory and sort the files by size:

cd /var/adm
ll | sort -rnk5 | head -20

The /var/adm/wtmp* and /var/adm/btmp* files cannot be edited directly so the easiest is to simply remove all the records:

cat /dev/null > /var/adm/wtmpx
cat /dev/null > /var/adm/btmpx

(earlier versions of HP-UX will use wtmp and btmp). Do this when the system is not running any applications or has any users logged in.


Bill Hassell, sysadmin
Reply
Richard Pereira_1
Regular Advisor

тАО04-18-2010 12:38 PM

тАО04-18-2010 12:38 PM

Re: wtmps file size

One of my few annoyances with HP-UX are the many OS log files don't get rotated. Bill is correct about have to trim them often.

Another option (if you have many machines) could be to install a logrotate type service.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/logrotate-2.5/

And another option (again depending on the size and activity of your unix machines) would be to install or designate a server as a logging host. We do that here so we can trim syslog files but have a copy elsewhere for audit purposes. Check syslog's manpage and syslog-ng.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.