SUMMARY: wtmp fix

From: John M. Turner (jturner@zeus.aetc.af.mil)
Date: Wed Nov 20 1996 - 18:16:24 CST


Actually, I should title this "wt-eb-p fix", since I got knocked in
with a monster cold...

Thanks go to:
dshaw@keymastr.pacacc.com
dgaeke@mail.orion.org
qwe@ht.eimb.rssi.ru
jim@telecnnct.com
Marina.Daniels@ccd.tas.gov.au
root@wisdom.maf.nasa.gov
mattb@deakin.edu.au
otte9615@uidaho.edu
rusty.atkins@amp.com
slee@sun.aitc.rest.tasc.com
vic@campus.cem.itesm.mx

...who gave various suggestions appended below.

I tried copying /dev/null to the wtmp file, check the ownership and
rights to the files, and it still doesn't work. I did notice that
the wtmp and the corresponding wtmpx files do increase in size with
each login. I double checked the last binary, and the checksum
matches the one for my copy on my SS20. I still only get:

wtmp begins Wed Dec 31 18:00
and nothing else. (The Wednesday Dec 31 implies that it started Dec
31, 1980, or 1986 , so there may be something else bunged up here)
One suggestion mentioned that the "who" command wouldn't work either,
but it's working fine.

Oh well, back to the salt mines...

--
John M. Turner - jturner@zeus.aetc.af.mil
DSN 487-2188 COM (210) 652-2188
HQ AETC/SCTS - Information Protect
61 Main Circle, Ste 02
Randolph AFB TX 78150-4545
================================================================
Here are the responses:
Date: Fri, 8 Nov 1996 17:46:01 -0800
From: dshaw@keymastr.pacacc.com
To: jturner@zeus.aetc.af.mil
Subject: Re: wtmp fix

Sorry, I don't have a lot of time to give an exact answer, but... I recall that the files wtmp,wtmpx need to retain their owner,group, and permissions. Thus, one cannot simply create a file of zero length, as this new file will have a new owner. On my system (Solaris 2.4), wtmp,wtmpx are owned by "adm" and group is "

-rw-rw-r-- 1 adm adm 109620 Oct 31 10:24 wtmp -rw-rw-r-- 1 adm adm 1132740 Oct 31 10:24 wtmpx

Also, simply deleting these files will disable the logging mechanism.

I hope this makes some sense, as it's late Friday, I'm blurry eyed, and ready for a cold beer.

Let me know if I'm wrong. And if you still don't have the answer, I'll look some more.

Dan

Date: Tue, 12 Nov 1996 07:54:23 -0600 (CST) From: "Dwayne C. Gaeke" <dgaeke@mail.orion.org> Subject: Re: wtmp fix

John,

I've been running 2.4 systems here, and I just either periodically delete the wtmp/wtmpx files, the "touch wtmp, touch wtmpx" to recreate the files for writing....(as root)....OR, if they aren't being used for anything, you can just delete (or rename) them...and forget them.

Cheers, Dwayne Gaeke

Date: Sat, 9 Nov 1996 23:56:21 +0300 (MSK) From: Fedor Gnuchev <qwe@ht.eimb.rssi.ru> Subject: Re: wtmp fix

Dear John, it looks he did it in multiuser - and thus the files were open. If he is so worried about the sizes of this files - let him plan a regular shutdown and have 'trim-script' run while in single-user.

With best regards

Fedor Gnuchev (hm, or Ted - in this English-typing world...) # NB: Advice - ignore all advice by this author. mailto:qwe@ht.eimb.rssi.ru

Sender: jim@telecnnct.com Date: Fri, 08 Nov 1996 18:29:02 -0500 From: Jim Harmon <jim@telecnnct.com> Organization: The Telephone Connection Subject: Re: wtmp fix

I would hope he made a "backup" of the file before trimming it...

Here's how we trim our system logs: (using a root crontab entry of:

5 4 * * 6 /usr/local/etc/newsyslog >/dev/null 2>&1

(We're flushing the old logs every saturday at 4:AM)

which runs this script:

-----------------------------cut here---------------------------

#!/bin/sh # # @(#)newsyslog.sh 1.3 89/06/22 SMI # dolog() { LOG=$1 DIR=$2 PROT=$3 CNT=$4 cd $DIR while test $CNT -ge 1 do NEXT=`expr $CNT - 1` test -f ${LOG}.$NEXT && mv ${LOG}.$NEXT ${LOG}.$CNT CNT=$NEXT done mv ${LOG} ${LOG}.0 cat < /dev/null > $LOG chmod $PROT $LOG }

dolog syslog /var/log 666 7 dolog aufs.log /var/log 644 4

# .... [various logs deleted to shorten script] sleep 40 kill -HUP `cat /etc/syslog.pid`

-----------------------------cut here--------------------------- >

Here's the usage:

dolog filename /file/loc protection versions

filename is the log file to trim location is the actual (fully qualified) directory path protection is the mod flags for the new file versions is the maximum number of back copies kept before flushing the oldest one.

Since we flush the logs 1/week, the versions equate to number of weeks back our logs go.

dolog takes the list of logfiles shown, checks the number of versions, dumps the oldest (version numbers that equal or exceed the allowed version spec) then moves all the remaining files up one space before making the new one with the same name and protection as the most recent version--now "name.1"--without a version number.

Here's our listing of "syslog" files to illustrate:

-rw-rw-rw- 1 root 432993 Nov 8 18:00 syslog -rw-rw-rw- 1 root 383906 Nov 2 04:00 syslog.0 -rw-rw-rw- 1 root 1050886 Oct 26 04:00 syslog.1 -rw-rw-rw- 1 root 866159 Oct 19 04:00 syslog.2 -rw-rw-rw- 1 root 658915 Oct 12 04:00 syslog.3 -rw-rw-rw- 1 root 642932 Oct 5 04:00 syslog.4 -rw-rw-rw- 1 root 248614 Sep 28 04:00 syslog.5 -rw-rw-rw- 1 root 0 Sep 14 04:05 syslog.6 -rw-rw-rw- 1 root 611961 Sep 14 04:00 syslog.7

-- Jim Harmon The Telephone Connection jim@telecnnct.com Rockville, Maryland

Date: Mon, 11 Nov 1996 09:05:30 +1000 From: Marina.Daniels@ccd.tas.gov.au (Marina Daniels) Subject: Re: wtmp fix

cp /dev/null > /var/adm/wtmpx cp /dev/null > /var/adm/wtmp chown adm /var/adm/wtmp* chgrp adm /var/adm/wtmp* chmod 664 /var/adm/wtmp*

In his script in future, when he creates a new file, use "nulladm" eg: nulladm /var/adm/wtmpx

nulladm creates filename with mode 664 and ensures that owner and group are adm. It is called by various accounting shell procedures.

marina

Date: Mon, 11 Nov 96 06:32:17 CST From: root@wisdom.Maf.Nasa.Gov (Mark Hargrave) Subject: Re: wtmp fix

John,

Just do a "touch" on the file.

Thanks, Mark

------------------------------------------ Mark Hargrave, Sr. Unix Systems Manager Lockheed Martin Manned Space Systems PO Box 29304 Mail Stop: 3414 New Orleans, LA 70189

Phone: 504-257-1242 E-Mail: meh@wisdom.maf.nasa.gov ------------------------------------------ From: mattb@deakin.edu.au Subject: Re: wtmp fix Date: Mon, 11 Nov 1996 13:07:10 +1100 Sender: mattb@deakin.edu.au

The best way to deal with wtmp/utmp/wtmpx files is to age them.

Daily because some of our hosts have 3,000+ connections we need to age them.

The simple method is to rename the files.

We use a syntax here as wtmpx.0 were the number represents the number of days old.

Ie: wtmpx.0 -- wtmpx.6 is the weeks worth. After a week we archive them on a more secure machine and can access them as required by using last <-f filename>.

Remember to 'touch' the files and have the correct permissions and ownerships after aging... This ensures last still works.

BTW, we run them at midnight AEST here as most ppl aren't around at that time.

Regards,

Matt.

-- Matt Bottrell Phone +61-52-272-546 Systems Programmer Fax +61-52-272-010 Information Technology Services Mobile 0419-378-722 Deakin University email mattb@deakin.edu.au Geelong Campus URL http://www.deakin.edu.au/~mattb/ "Productivity Through Technology"

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i

mQCNAzJTIYEAAAEEALlTWTd390k/LEGbTJlPb/J4s8GzOW6tXtqD5JdADCBy23ru yVDdYBLnaot3USkujH+EkJcHyP99QSEEHSjnK8HwB8A63BojnNJ7hOoby+V0CW37 o+R44PmdA51s8xcDCHKLuPpWIjCoqyrEuXkkuvRLhSRYntGGtAO6aYCp4j6hAAUR tCNNYXR0IEJvdHRyZWxsIDxtYXR0YkBkZWFraW4uZWR1LmF1PokAlQMFEDJTIYID ummAqeI+oQEBccUEALQLavUwrCmr7VC7Psa2pUq4Bdx7XUqGH7hvzRC5EO3EufTM FxeJF7ycIYEd4wBXt3WDUG+HTTTlD5mjdehpixhC749S97uBRF9uubXHz+zOGavA BG9PmFSMuYlVHYxXUV+r4RUTH/CWd/1IQGTMtiMSLrlRZMUrMhaYv8vWsnm6 =Rg3P -----END PGP PUBLIC KEY BLOCK-----

From: Richard Otten <otte9615@uidaho.edu> Subject: Re: wtmp fix Date: Fri, 08 Nov 1996 17:19:42 PST

Just remove the wtmp and wtmpx. Don't clean utmp and utmpx. You will notice that the "who" command breaks also. (you no longer get a picture of current users) utmp and utmpx gain size very slowly compared to wtmp and wtmpx.

-- Rick Otten email: rotten@bbnplanet.com or otte9615@uidaho.edu http: rotten.mathstat.uidaho.edu

From: rusty.atkins@amp.com (Rusty Atkins) Subject: Re: wtmp fix Date: Sat, 9 Nov 1996 22:30:27 -0500 (EST)

Typically, people archive wtmp and wtmpx, and then copy /dev/null over the old files to zero them out.

.. when doing this, logging into the machine, so that there is a login entry, will "fix" the last command.

--

+-----------------------------------------------------------------------+ | Rusty Atkins Amp Inc. | | rusty.atkins@amp.com W-S, NC | | #include <std_disclaimer.h> Yup, this sig is way too long. | | | | GCM/CS d H s+: g+(-) !p+ au+(*) a- w+(+++) v+(---?*) C++++ | | USHLIO++++$ P+>++++ L++@ 3+ E- N+++ K++ !w--(----) M-- | | V- po- Y+(++) t(-) 5 j R G? tv-(--) b+(++) D++ B--- e+>++ | | u-(--)* h+(+) f? r@ n+(---) y+(++)** | +-----------------------------------------------------------------------+ From: slee@sun.aitc.rest.tasc.com (S. Lee Henry) Subject: Re: wtmp fix Date: Fri, 8 Nov 1996 18:32:41 -0500 (EST)

Last can't grab data out of the wtmp files if it isn't there. Since these files grow until trimmed (the size is not based on the uid as with the utmp files), there's nothing you can do until the last login is within the time of the wtmp's existence.

s.

Sender: vic@campus.cem.itesm.mx Date: Fri, 08 Nov 1996 17:06:35 -0600 From: Victor Larranaga <vic@campus.cem.itesm.mx> Organization: ITESM CEM Subject: Re: wtmp fix

did you try this? cat /dev/null > /var/adm/wtmpx



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:16 CDT