Decoding contents of wtmp file

by Community Manager on ‎03-13-2012 09:46 AM

I have to use -X for 11.23 and 11.31 when using fwtmp(1m):

/usr/sbin/acct/fwtmp < /var/adm/wtmps

 

If you use tusc on last(1), you'll see this pattern before it aborts:

[11273] open("/var/adm/wtmps", O_RDONLY, 0) .............. = 4

...

[11273] read(4, "\0\00288", 4) ........................... = 4
[11273] lseek(4, 652, SEEK_SET) .......................... = 652
[11273] read(4, "\0\00288", 4) ........................... = 4
...

Now it prints it out by going backwards:
[11273] lseek(4, 67051684, SEEK_SET) ..................... = 67051684
[11273] read(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0".., 648) = 648

>-rw-rw-r--   1 adm        adm        5770232 Mar  5 08:57 /var/adm/wtmps

>I will try and use the last 1000 lines of the wtmps file to read from it.

 

The file is binary, there are no lines.  You'll need to use dd(1) to copy from the end:

#!/usr/bin/ksh

# Dump out last 20 records of wtmps file

WTMP=/var/adm/wtmps

typeset -i wtmpsize=$(ll $WTMP | awk '{print $5 }')
typeset -i wtmprecord=$((648+4))
typeset -i wtmpdump=$((wtmprecord * 20))

echo "$wtmprecord: $((wtmpdump))"

# Add -v to not suppress duplicate lines
xd -tx4 -tc -j $(($wtmpsize - wtmpdump)) -N $((wtmpdump)) $WTMP

dd if=$WTMP of=wtmps.short bs=1 count=$wtmpdump skip=$(($wtmpsize - wtmpdump))

 

(You can comment out the xd(1) command if you aren't interested in the raw file format.)


And once you get wtmps.short you can check with:
$ /usr/sbin/acct/fwtmp -X < wtmps.short

 

And use last(1) to format it:
$ last -R -X -f wtmps.short

Search
Follow Us


Twitter Stream
Contributors
HP Blog
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation