Summary (1): Runaway growth of /var/adm/wtmpx

From: RORY_O'CONNOR@US.WFL.COM
Date: Wed Feb 12 1997 - 14:00:00 CST


     The original question:
     
     
> Maybe the answer is out there on the 'net somewhere, but my
     access is > so slow today, and my time so short, I'm putting this
     out to y'all
> directly in hopes of a to-the-point answer:
     
> Under Solaris 2.5 on a SparcStation 20, the files, /var/adm/wtmp
     and
> /var/adm/wtmpx (especially), are growing constantly and quickly
     (wtmpx > grew over 2MB in an hour). They appear to have something
     to do with
> the login daemon logging activity (telnetting to this system
     usually
> involves waiting 2-4 minutes before getting the login: prompt --
     it is > running the Horizon library holdings system with Sybase
     for its DBM,
> and there may be a half-dozen clients running from the
     OS/2-based
> Horizon client software, but with 192 MB of RAM, 132MB of swap
     -- 85MB > free right now -- it should not be loaded that heavily
     ... right?).
>
> When the /var fs got filled up this morning, the wtmpx file was
     over > 160MB! I mv'ed it to another drive/fs; was that OK? Do I
     need to
> keep these files? Can I set something to slow their growth
     rate, or > dispense with them altogether? Any pointers/ideas/info
     greatly
> appreciated. Will summarize.
>
> I just took over this system, so I don't know much about its
     My thanks to all. Herewith a "summary":
     
     The short answer:
     
     
     /var/adm/wtm and /var/adm/wtmx are files in which are stored
     the logins records. The "last" command uses their entries.
     
     Yes, you can delete them move them, or whatever you want, and
     regenerate th
     em
     with filesize=0
     (use "touch").
     
     Ramsn Castillo, QED Communication Staff.
     ________________________________________________ Moras 655-B
     SUPPORT CONTACT INFORMATION: Col. Del Valle Mail:
     ramon@qed.Com.MX Benito Juarez Tel: (525) 524 0772
     03100 (525) 524 0803 Mixico City
            Fax: (525) 524 7293 Mixico
     http://www.qed.com.mx ________________________________________________
     PLEASE SEND SUPPORT MAIL TO Soporte@qed.Com.MX
     
     
     A management technique:
     
     
     What we do is a daily, weekly and monthly cron job of every machine.
     The monthly cron job, among other things, does the following:
     
     echo "Script Revised: @(#)monthly 1.2 91/10/14 13:00:34" echo ""
     echo "Rotating wtmp file:"
     cd /var/adm
     mv wtmp.5 wtmp.6
     mv wtmp.4 wtmp.5
     mv wtmp.3 wtmp.4
     mv wtmp.2 wtmp.3
     mv wtmp.1 wtmp.2
     mv wtmp.0 wtmp.1
     mv wtmp wtmp.0
     cp /dev/null wtmp
     chmod 644 wtmp
     
     It doesn't look like we rotate the wtmpx at all - but we should!
     
     cheers,
     duncan
     
     ----------------------------------------------------------------------
     -------- Duncan C. White, Senior Computing Officer, Dept of Maths and
     Computing Science,
     University of Surrey, Guildford, Surrey GU2 5XH, UK.
     Email: D.White@mcs.surrey.ac.uk Phone: +441 483
     259632
     URL: http://www.mcs.surrey.ac.uk/showstaff?D.White Fax: +441
     483 259385
     
     PGPkey: http://www.mcs.surrey.ac.uk/Personal/D.White/pgpkey.html Key
     fingerprint = 91 93 0D 90 D0 5E 62 BF 57 39 08 56 43 FC E5 C8
     ----------------------------------------------------------------------
     -------- "After all, this is a species whose principal means of
     population control are
     famine, abortion, a high infant death rate and war."
     Intervention (page 442) - Julian May
     ----------------------------------------------------------------------
     
     Another Pointer:
     
     Make sure you have utmpd running. Try the following lines in
     /etc/default/utmpd:
     
     SCAN_PERIOD=30
     MAX_FDS = 3
     
> Not sure what these do; I sent this response to Karl:
          
> Thanks for the pointers. Question: what do those settings
> (SCAN_PERIOD -- ours is 300, and MAX_FDS -- not present) in
> /etc/default/utmpd (yes, it is running) do?
          
> Rory O'Connor
     --
     Karl Vogel
     vogelke@c17.wpafb.af.mil ASC/YCOA, Wright-Patterson AFB, OH 45433
                    937-255-3688
     
     Nature is blind. We are merely short-sighted. That's an improvement.
     --Henry Spencer
     
     
     
     Another Point:
     
     I can't give you a solution, but I can give you an idea of what to
     look at. Is this perchance a machine running CDE but without a
     monitor? If this is the case and you have CDE configured to put a
     graphical login box up on the (nonexistent) graphics console, you will
     get exactly this
     behaviour. Unfortunately I don't remember how I fixed this; something
     to do in /usr/dt. But if your machine meets these criteria this'll
     give you somewhere to start, anyway...
     
     +---------------------------------------------------------------------
     --+ | Christopher L. Barnard O When I was a boy I was told
     that | | cbarnard@tsg.cbot.com / \ anybody could become
     president. | | (312) 347-4901 O---O Now I'm beginning
     to believe it. | | http://www.cs.uchicago.edu/~cbarnard
     --Clarence Darrow | +----------PGP public key available via finger or
     PGP keyserver---------+
     
     
     And this:
     
     Well, if you say "man wtmpx" you'll see this:
     
     | utmpx(4) File Formats utmpx(4) |
     |
     |
     | NAME
     | utmpx, wtmpx - utmpx and wtmpx entry formats |
     | SYNOPSIS
     | #include <utmpx.h>
     |
     | DESCRIPTION
     | utmpx(4) is an extended version of utmp(4). |
     | utmpx and wtmpx hold user and accounting information for |
           commands such as who, write, and login. These files have |
         the following structure as defined by <utmpx.h>:
     |
     
> However, that man page doesn't really tell how to manage wtmp/x ;-}
     
     If you use the "last" command and wait for it to finish, the last 3
     lines of output will look like this:
     
     | reboot system boot Mon Oct 21 18:05 |
     | wtmp begins Mon Oct 21 18:05
     
     So nothing crucial is lost by deleting the [wu]tmp[x] files; just the
     record of who logged in when and suchlike.
     
     
     --
     Frank Pardo <fpardo@tisny.com>
     Transaction Information Systems
     New York City
     
     The scholar's ink outlasts the martyr's blood. -- Irish proverb
     --------------- Start RFC822 Headers ---------------
     
     
     
     And:
     
     rotation of the wtmp files is a common sysadmin task. I can't find
     it in the Solaris 2 faq per se but its common to put somehting in cron
     that does a cat /dev/null > /var/adm/wtmp and /var/adm/wtmpx
     
     boss
     
     ---
     __
     _ / /_ Todd Boss, Consultant Virtualogic Incorporated
     | |/ / / Unix Sysadmin/Sybase DBA 6707 Democracy Blvd,
     Suite 202 | / /__ tboss@virtualogic.com Bethesda,
     Maryland 20817 |__/____/ boss@netcom.com (301)
     571-5100 x173



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:46 CDT