SUMMARY: trimming /var/adm/wtmp

From: Mona Wong (mona@szechuan.UCSD.EDU)
Date: Wed Apr 12 1995 - 14:24:31 CDT


Original posting:

> Hi sun managers:
>
> How do you trim /var/adm/wtmp? It is a binary file.
>
> Mona Wong
> UCSD
>

        I wanted to be able to do using crontab, so I've combined several
        suggestions and came up with:

        /usr/lib/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.ascii
        tail -500 /tmp/wtmp.ascii > /tmp/wtmp.500
        /usr/lib/acct/fwtmp -ci < /tmp/wtmp.500 > /var/adm/wtmp
        rm /tmp/wtmp.ascii
        rm /tmp/wtmp.500

Thanks to those who responded:

irana@hydres.co.uk
droletb@CCG.RNCan.gc.ca
root@wisdom.maf.nasa.gov
vpopa@wbst845e.xerox.com
listerrj@sun.aston.ac.uk
wrpfarn@sandia.gov
ddq251f@shoes.Bell-Atl.Com
bmecca@ralph.wea.com
bchivers@karoshi.mitre.org
27929@labatt.com
anderson@neon.mitre.org
dave%endeavour.exar.com@exar.com
dfalk@sqwest.bc.ca
don@alaska.opensys.com
sunlist@mendel.UCSC.EDU

=====================================================================
In my experience you need to remove it and remove
/var/adm/wtmp and /var/adm/wtmpx. You can recreate
them should you need to.

Under Solaris 2.3 the file /var/adm/wtmpx takes up a lot
of space. You may find that when yo delete the file it is
recreated with the original file size..

Solution:

/var/adm/wtmpx is the extended wtmp file. Delete or truncate
this file without deleting or truncating the /var/adm/wtmp file.
Then the file will be recreated with the information from wtmp
when the next user logs in or root runs "who /var/adm/wtmp" or
last.

To get rid of this info. and stop the logging completely, remove
/var/adm/wtmpx and /var/adm/wtmp.

Hope this helps

Irana

Irana also suggested the C library function truncate
=====================================================================
Hi,

I'm using a small C program to trim /var/adm/wtmp and wtmpx.

I did get those program from someone on the Internet... I'm running those
every month.

Hope it's help!

--
Simon-Bernard Drolet                E-mail: bernard.drolet@CCG.RNCan.gc.ca
Administrateur de systemes Unix     Tel:    (819) 564-5600 ext.4819
Centre Canadien de Geomatique       Fax:    (819) 564-5698
2144 King Ouest, suite 010, Sherbrooke, Quebec, Canada, J1J 2E8
----------
X-Sun-Data-Type: c-file
X-Sun-Data-Name: wtmpcut.c
X-Sun-Charset: us-ascii
X-Sun-Content-Lines: 91

/*----------------------------------------------------------------------* * * * Description: Source du fichier exec. /equipe/sysadmin/bin/wtmpcut * * qui permet de reduire le fichier /var/adm/wtmp en enle- * * vant toutes les entrees plus vieilles qu'une certaine * * date specifiee en parametre. Si aucun parametre n'est * * specifie, on utilise une valeur par defaut (DELAIS). * * * *----------------------------------------------------------------------*/

#include <stdio.h> #include <sys/types.h> #include <fcntl.h> #include <utmp.h> #include <time.h> #include <errno.h>

#define DELAIS (time_t) (90) /* en jour */

int main(argc, argv) int argc; char **argv; { struct utmp wtmp_rec; int old_fd, new_fd; int wtmp_rec_sz = sizeof(struct utmp); time_t periode, temps_limite;

if (argc > 1) periode = (time_t) atoi(argv[1]); else periode = DELAIS;

/* * Copie de /var/adm/wtmp dans /tmp/wtmp */ putenv("IFS=' \t\n'"); /* Securite */ putenv("PATH=/usr/bin"); /* Securite */ if (system("cp /var/adm/wtmp /tmp/wtmp") < 0) { fprintf(stderr,"%s: Erreur en copiant wtmp dans /tmp.\nBye.\n",argv[0]); exit(1); } /* if */

/* * Calcule du temps limite en time_t */ temps_limite = time(NULL) - (periode * 24 * 3600); fprintf(stdout, "\n%s: la date limite est %s\n", argv[0], asctime(localtime(&temps_limite)));

/* * Ouvre le nouveau wtmp en ecriture */ if ((new_fd = open("/var/adm/wtmp", O_WRONLY | O_TRUNC)) < 0) { fprintf(stderr, "%s: Erreur %d d'ouverture de /var/adm/wtmp.\nBye.\n", argv[0], errno); exit(1); } /* if */

/* * Ouvre la copie de wtmp en lecture */ if ((old_fd = open("/tmp/wtmp", O_RDONLY)) < 0) { fprintf(stderr, "%s: Erreur %d d'ouverture de /tmp/wtmp.\nBye.\n", argv[0], errno); exit(1); } /* if */

/* * En partant du debut du fichier, on compare les dates * et si elles sont trop vieilles, on les oublies. * Lorsqu'elles sont dans la periode, on les garde dans * le fichier /var/adm/wtmp. */ while (read(old_fd, &wtmp_rec, wtmp_rec_sz) == wtmp_rec_sz) { if (wtmp_rec.ut_time >= temps_limite) { do { if (write(new_fd, &wtmp_rec, wtmp_rec_sz) != wtmp_rec_sz) { fprintf(stderr, "%s: Erreur %d d'ecriture du record.\nBye.", argv[0], errno); exit(1); } /* if */ } while (read(old_fd, &wtmp_rec, wtmp_rec_sz) == wtmp_rec_sz ); } /* if */ } /* while */

exit(0); /* Sortie elegante */

} /* main() */ ---------- X-Sun-Data-Type: c-file X-Sun-Data-Name: wtmpxcut.c X-Sun-Charset: us-ascii X-Sun-Content-Lines: 89

/*----------------------------------------------------------------------* * * * Description: Source du fichier exec. /equipe/sysadmin/bin/wtmpxcut * * qui permet de reduire le fichier /var/adm/wtmpx en enle-* * vant toutes les entrees plus vieilles qu'une certaine * * date specifiee en parametre. Si aucun parametre n'est * * specifie, on utilise une valeur par defaut (DELAIS). * * * *----------------------------------------------------------------------*/

#include <stdio.h> #include <sys/types.h> #include <fcntl.h> #include <utmpx.h> #include <time.h> #include <errno.h>

#define DELAIS (time_t) (30) /* en jour */

int main(argc, argv) int argc; char **argv; { struct utmpx wtmpx_rec; int old_fd, new_fd; int wtmpx_rec_sz = sizeof(wtmpx_rec); time_t periode, temps_limite;

if (argc > 1) periode = (time_t) atoi(argv[1]); else periode = DELAIS;

/* * Copie de /var/adm/wtmpx dans /tmp/wtmpx */ putenv("IFS=' \t\n'"); /* Securite */ putenv("PATH=/usr/bin"); /* Securite */ if (system("cp /var/adm/wtmpx /tmp/wtmpx") < 0) { fprintf(stderr,"%s: Erreur en copiant wtmpx dans /tmp.\nBye.\n",argv[0]); exit(1); } /* if */

/* * Calcule du temps limite en time_t */ temps_limite = time(NULL) - (periode * 24 * 3600); fprintf(stdout, "\n%s: la date limite est %s\n", argv[0], asctime(localtime(&temps_limite)));

/* * Ouvre le nouveau wtmp en ecriture */ if ((new_fd = open("/var/adm/wtmpx", O_WRONLY | O_TRUNC)) < 0) { fprintf(stderr, "%s: Erreur %d d'ouverture de /var/adm/wtmpx.\nBye.\n", argv[0], errno); exit(1); } /* if */

/* * Ouvre la copie de wtmp en lecture */ if ((old_fd = open("/tmp/wtmpx", O_RDONLY)) < 0) { fprintf(stderr, "%s: Erreur %d d'ouverture de /tmp/wtmpx.\nBye.\n", argv[0], errno); exit(1); } /* if */

/* * En partant du debut du fichier, on compare les dates * et si elles sont trop vieilles, on les oublies. * Lorsqu'elles sont dans la periode, on les garde dans * le fichier /var/adm/wtmpx. */ while (read(old_fd, &wtmpx_rec, wtmpx_rec_sz) == wtmpx_rec_sz) { if (wtmpx_rec.ut_xtime >= temps_limite) { do { if (write(new_fd, &wtmpx_rec, wtmpx_rec_sz) != wtmpx_rec_sz) { fprintf(stderr, "%s: Erreur %d d'ecriture du record.\nBye.", argv[0], errno); exit(1); } /* if */ } while (read(old_fd, &wtmpx_rec, wtmpx_rec_sz) == wtmpx_rec_sz ); } /* if */ } /* while */

exit(0); /* Sortie elegante */

} /* main() */ ===================================================================== /var/adm/wtmp is really just an ascii file. You can just remove it and then do the following:

touch /var/adm/wtmp

Thanks, Mark

------------------------------------------ Mark Hargrave, Unix Systems Manager Martin Marietta Manned Space Systems PO Box 29304 Mail Stop: DPI/Bin 41 New Orleans, LA 70189

Phone: 504-257-1242 E-Mail: meh@wisdom.maf.nasa.gov ------------------------------------------ ===================================================================== Try cp /dev/null /var/adm/wtmp Val ===================================================================== Hi

Under Solaris 2.3 there's /usr/lib/acct/fwtmp. From the man page:

fwtmp reads from the standard input and writes to the stan- dard output, converting binary records of the type found in /var/adm/wtmp to formatted ASCII records. The ASCII version is useful when it is necessary to edit bad records. So you can tail -some_reasonable_number the ascii version and convert it back to binary with fwtmp -ic.

Ric

-- ~~~~~~~~~~~~~~~ Richard J. Lister listerrj@aston.ac.uk ~~~~~~~~~~~~~~~~~ Research Assistant, Neural Computing Research Group Aston University, Birmingham B4 7ET, UK ~~~~~~~~~~~~~~ http://neural-server.aston.ac.uk/~listerrj/ ~~~~~~~~~~ ===================================================================== There is a procedure documented in the Sun System and Network Admin. book on page 204. It's entitled "Repairing a wtmp file", but you can also use it to edit the file for truncation purposes.

To reduce the size of /var/adm/wtmp, perform the following commands:

# cd /var/adm

# /usr/lib/acct/fwtmp < wtmp > xwtmp

# vi xwtmp

Remove old stuff

# rm wtmp

# /usr/lib/acct/fwtmp -ic < xwtmp > wtmp

# rm xwtmp

Cheers,

Wes

O O O o o o . . . _========_T__ _=========_T__ _===========_T__ O _____ || Wes | | Sandia | | wrpfarn@ | | .][_n_n_|DD[ ====____ | Pfarner | | National | | sandia.gov | | >(_______|__|_[_ RGS __]_| M.S._0655 |_|Laboratories|_|505-844-0684|_| __/o OOOO o ` 'o^o o^o` 'o^o o^o` 'o^o o^o` 'o^o o^o` ============================================================================== On track for Sun/Auspex System and Network Administration ===================================================================== Take a look at the man page for fwtmp. If you don't care about the contents, you could always wipe it out (cat /dev/null >/var/adm/wtmp)...

Sue

-- =**= - =*= - =*= - =*= - =*= - =*= - =*= - =*= - =*= - =*= - =*= - =*= - =**= Susan M. Menig Advanced Systems Consulting, Inc. Susan.M.Menig@Bell-Atl.Com ===================================================================== I just vi it and delete every line. ...Buddy... ===================================================================== If you want it empty, a root cron entry will do it:

cat /dev/null > /var/adm/wtmp

If you want to keep some past data, you could write a script to copy the file to a new name and then empty the real file. If this is done regularly, you'll have a set of small files that is easy to control. Let me know if you want an example script. -- Brent Chivers bchivers@mitre.org ===================================================================== If you want to truncate the file...

cat /dev/null > /var/adm/wtmp

The contents of wtmp will be lost.

I know of no other way to remove data from this file.

Scott MacDonald | Scott.MacDonald@Labatt.Com Technical Support Analyst | (519)-667-7112 Labatt Breweries of Canada | London, Ontario CANADA "Any opinions expressed are personal, not my company's" ===================================================================== You have to write a C program. It is very simple. See the man page for utmp(5v) and the header file /usr/include/utmp.h for particulars about the file format.

Mark Anderson ---------------------------------------------------------- The MITRE Corporation manderso@mitre.org 7525 Colshire Drive, MS W747 voice: (703) 883-6439 McLean, VA 22102 FAX: (703) 883-1905 ===================================================================== In a cron job use one of the following two commands...

tail -500 /var/adm/wtmp > tmp; cp tmp /var/adm/wtmp

or

cp /dev/null /var/adm/wtmp

Hope it helps...

Dave. ===================================================================== Make a backup of the original wtmp, then clean out the original to zero size with the following:

cp /var/adm/wtmp /var/adm/old_wtmp

cat /dev/null > /var/adm/wtmp

This way you have the previous file intact, which becomes your backup always, and a new wtmp for future logging. You can create a script to do this process for you, say at the beginning or ending of a month. The script will always check for the existence of the prior "old_wtmp", delete it, copy the current wtmp to "old_wtmp" the cat /dev/null into the current file to zero it.

Schedule root's crontable to run the script for you. Also, make sure the script is set to mode 0700 and owned by root.

Good Luck! -Don Lenamond =============================================================== | #### #### ##### | DON LENAMOND: Network Systems Engr.| | # # # # | Enterprise Integration Services | | # # # # | E-mail: don@alaska.opensys.COM | | # # # # | Phone: (907) 261-8715 | | #### ##### ##### | Fax: (907) 261-8710 | |===============================================================| | OpenSystems Inc. 3111 C Street,Ste 400,Anchorage, AK 99503 | =============================================================== ===================================================================== The simpliest way is too do-

cat > wtmp <control>-D

This will restart it from zero.

Or you can

rm /var/adm/wtmp

touch /var/adm/wtmp

Stephen Hauskins UCSC Steve =====================================================================



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:21 CDT