decode contents of wtmp file (1586 Views)
Reply
Super Advisor
NDO
Posts: 534
Registered: ‎12-10-2003
Message 1 of 15 (1,586 Views)
Accepted Solution

decode contents of wtmp file

 

Hi

 

I am trying to use the command last and lastb to check on successfull and unsuccessfully logings, and I got the following result>

#last -R 10
Invalid record size. Unable to continue ...

 

and

 lastb -R 10

BTMPS_FILE  begins at Fri Dec 31 07:45:40

 

So I search on this forums and I found the following post:

http://h30499.www3.hp.com/t5/System-Administration/last-command-amp-wtmps/td-p/4615210

 

In this post Robert  Jan come up with a solution, but I woud like to understand the contents of the files, like the output of the :

/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.tmp

 

I edit the file /tmp/wtmp.tmp and I found this:

 

esmd     esmd               2877  5 0000 0000 1254490132 Oct  2 15:28:52 2009
cimserve cim1               2878  5 0000 0000 1254490132 Oct  2 15:28:52 2009
sh       ems3               2879  5 0000 0000 1254490132 Oct  2 15:28:52 2009
sh       ems3               2879  8 0000 0000 1254490132 Oct  2 15:28:52 2009
p_client ems4               2882  5 0000 0000 1254490132 Oct  2 15:28:52 2009
icapd    icap               2883  5 0000 0000 1254490132 Oct  2 15:28:52 2009
utild    util               2884  5 0000 0000 1254490132 Oct  2 15:28:52 2009
krsd     krsd               2874  8 0011 0000 1254495221 Oct  2 16:53:41 2009
krsd     krsd               8950  5 0011 0000 1254495221 Oct  2 16:53:41 2009
utild    util               2884  8 0011 0000 1254495221 Oct  2 16:53:41 2009

 

 

 

Can someone explain what this means?

 

 

Regards

 

Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,956
Registered: ‎03-06-2006
Message 2 of 15 (1,578 Views)

Re: decode contents of wtmp file

>/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.tmp

 

You should be looking a wtmps, not wtmp.  And you may need to use -X.

 

>I edit the file /tmp/wtmp.tmp and I found this:

 

All the way through or just after awhile?

Please use plain text.
Super Advisor
NDO
Posts: 534
Registered: ‎12-10-2003
Message 3 of 15 (1,572 Views)

Re: decode contents of wtmp file

Hi

 

I did use the -X but I had a successfully output when using lastb -X, and I had the same error when using last -X, which was :

last -X
Invalid record size. Unable to continue ...

 

Now when using :

>/usr/sbin/acct/fwtmps < /var/adm/wtmps > /tmp/wtmps.tmp

 

the contents of wtmps.tmp are:

 

 13135  0 0000 63164 825438515 Feb 27 18:28:35 1996 127.255.214.224 5
                           2004842672  0 0000 0000 7 Jan  1 02:00:07 1970
                            808463924 11825 32000 0000 0 Jan  1 02:00:00 1970 0.0.0.1
                               0  0 0000 0000 0 Jan  1 02:00:00 1970 119.120.204.224
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                           -1065708960  0 0000 0000 0 Jan  1 02:00:00 1970 114.111.111.116
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                           1718906980 12595 31465 34000 0 Jan  1 02:00:00 1970 127.255.214.228

                           -1073741824  0 1611 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970 119.120.204.224
              `                0  0 0000 0016 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                            939589631  0 0000 0000 0 Jan  1 02:00:00 1970

 

 

Its a big file

 

regards

 

Fernando

Please use plain text.
Super Advisor
NDO
Posts: 534
Registered: ‎12-10-2003
Message 4 of 15 (1,571 Views)

Re: decode contents of wtmp file

Hi

 

Will it be possible to also list the IP´s of the pc/laptops that connected into the system successfully and those that did not managed to login?

 

 

regards

 

Fernando

Please use plain text.
Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 5 of 15 (1,566 Views)

Re: decode contents of wtmp file

You can find a description of the contents of the wtmp and wtmps files in the system man pages: please run "man 4 wtmp" and "man 4 wtmps", respectively.

 

The output of the fwtmp/fwtmps commands should normally be similar to the actual wtmp/wtmps file structure, but with all the binary fields translated into human-readable ASCII.

 

However, the error message "invalid record size" from the "last" command and the confused-looking contents of your wtmps.tmp file (Dates for year 1970?? Loopback IP addresses like 127.255.214.224???) suggest that your wtmps file was corrupted at some point.The corruption would cause the fwtmps tool to go out of sync with the entries and mis-interpret them.

 

If you want to extract meaningful information from the file, you may have to find the corrupted entry/entries in your original binary wtmps file and remove them (probably with some hex editor) and then re-run the file through the fwtmps command.

 

If the wtmps file is large, finding and recognizing the corrupted entries may be a difficult and tedious job.

MK
Please use plain text.
Super Advisor
NDO
Posts: 534
Registered: ‎12-10-2003
Message 6 of 15 (1,564 Views)

Re: decode contents of wtmp file

Hi

 

Thank you for the explanation. The file is huge, I really need to find who logged in the last 20 days (their IP addresses)

 

 

regards

Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,956
Registered: ‎03-06-2006
Message 7 of 15 (1,555 Views)

Re: decode contents of wtmp file

>I had the same error when using last -X, which was: Invalid record size. Unable to continue

 

The error won't go away since the file has been corrupted.  You could use tusc to see how much of the file is bad.

 

>Now when using: /usr/sbin/acct/fwtmps < /var/adm/wtmps > /tmp/wtmps.tmp

>the contents of wtmps.tmp are:

13135  0 0000 63164 825438515 Feb 27 18:28:35 1996 127.255.214.224 5

 

Here you may have to use -X?  The output seems bad at the start.

 

>The file is huge, I really need to find who logged in the last 20 days (their IP addresses)

 

You might want to look at some other topics with problems with wtmps and using dd(1) to fix them:

http://h30499.www3.hp.com/t5/System-Administration/who-r-not-working/m-p/5165196/

http://h30499.www3.hp.com/t5/System-Administration/last-returns-no-login-info/m-p/5269768/

 

What does "ll /var/adm/wtmps" show?  You might be able to get the data at the end of the file.

Please use plain text.
Super Advisor
NDO
Posts: 534
Registered: ‎12-10-2003
Message 8 of 15 (1,547 Views)

Re: decode contents of wtmp file

Hi

 

I did try to use -X, but I had to cancel with ctrl + c because I had no response after quite a while.

 

>What does "ll /var/adm/wtmps" show? You might be able to get the data at the end of the file

it shows:

-rw-rw-r--   1 adm        adm        5770232 Mar  5 08:57 /var/adm/wtmps

 

it looks like the file has been writen to it. I will try and use the last 1000 lines of the wtmps file to read from it!!

 

regards

Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,956
Registered: ‎03-06-2006
Message 9 of 15 (1,542 Views)

Re: decode contents of wtmp file

>I did try to use -X, but I had to cancel with control + c because I had no response after quite a while.

 

I have to use -X for 11.23 and 11.31 when using fwtmp(1m):

/usr/sbin/acct/fwtmp < /var/adm/wtmps

 

If you use tusc on last(1), you'll see this pattern before it aborts:

[11273] open("/var/adm/wtmps", O_RDONLY, 0) .............. = 4

...

[11273] read(4, "\0\00288", 4) ........................... = 4
[11273] lseek(4, 652, SEEK_SET) .......................... = 652
[11273] read(4, "\0\00288", 4) ........................... = 4
...

Now it prints it out by going backwards:
[11273] lseek(4, 67051684, SEEK_SET) ..................... = 67051684
[11273] read(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0".., 648) = 648

>-rw-rw-r--   1 adm        adm        5770232 Mar  5 08:57 /var/adm/wtmps

>I will try and use the last 1000 lines of the wtmps file to read from it.

 

The file is binary, there are no lines.  You'll need to use dd(1) to copy from the end:

#!/usr/bin/ksh

# Dump out last 20 records of wtmps file

WTMP=/var/adm/wtmps

typeset -i wtmpsize=$(ll $WTMP | awk '{print $5 }')
typeset -i wtmprecord=$((648+4))
typeset -i wtmpdump=$((wtmprecord * 20))

echo "$wtmprecord: $((wtmpdump))"

# Add -v to not suppress duplicate lines
xd -tx4 -tc -j $(($wtmpsize - wtmpdump)) -N $((wtmpdump)) $WTMP

dd if=$WTMP of=wtmps.short bs=1 count=$wtmpdump skip=$(($wtmpsize - wtmpdump))

 

(You can comment out the xd(1) command if you aren't interested in the raw file format.)


And once you get wtmps.short you can check with:
$ /usr/sbin/acct/fwtmp -X < wtmps.short

 

And use last(1) to format it:
$ last -R -X -f wtmps.short

Please use plain text.
Super Advisor
NDO
Posts: 534
Registered: ‎12-10-2003
Message 10 of 15 (1,536 Views)

Re: decode contents of wtmp file

Hi

 

It worked out fine, (your script), but only a few records, I am really interested who logged in in mid January and February. Would it be possible to change your script to give that kind of output?

 

regards

 

Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,956
Registered: ‎03-06-2006
Message 11 of 15 (1,534 Views)

Re: decode contents of wtmp file

>Would it be possible to change your script to give that kind of output?

 

Of course.  The script documents what it does.  If you want more than 20 records, just change the "20".

Please use plain text.
Member
DBurton30
Posts: 2
Registered: ‎04-08-2010
Message 12 of 15 (1,520 Views)

Re: decode contents of wtmp file

With this being my first attempt to answer a question since the big change (old forums style to new), I hope this makes some sense, is readable, etc.

 

In the favorite sys admin scripts area:

 

http://h30499.www3.hp.com/t5/System-Administration/favorite-sysadmin-scripts-you-always-keep-around-...

 

A pretty smart guy named Kevin Tuitt put together a script to gather "last" data. That's if you have a good wtmp, etc. file(s). I think his file was called "audit". The above link, assuming it works, will get you to the spot. I can't see how to download the file in this forum but I'm sure there is a way.

 

Anyway, I use something like it which does basically:

 

TEMPDIR="/tmp"     ### A nice place to put files.
lastb    | sort > $TEMPDIR/lastbfile  &
lastb -R | sort > $TEMPDIR/lastbrfile &
last     | sort > $TEMPDIR/lastfile   &
last -R  | sort > $TEMPDIR/lastrfile

 

You can get login ID's, computere names or IP's (depends on your DNS settings I suppose), etc. Perhaps this can help you once your file(s) in question get fixed?

Please use plain text.
Super Advisor
NDO
Posts: 534
Registered: ‎12-10-2003
Message 13 of 15 (1,507 Views)

Re: decode contents of wtmp file

 

Hi!

 

Since the original wtmps file is corrupted can I use the command:

cat /dev/null > /var/adm/wtmps

 

to clear the contenst of wtmps and start from fresh?

 

regards

 

 

 

 

Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,956
Registered: ‎03-06-2006
Message 14 of 15 (1,506 Views)

Re: decode contents of wtmp file

>can I use the command to clear the contents of wtmps and start from fresh?

 

Sure but your current file has useful info, if you want to spend time getting at it.  I.e. make a copy first.

Also, you can just clear it with: > /var/adm/wtmps

Please use plain text.
Super Advisor
NDO
Posts: 534
Registered: ‎12-10-2003
Message 15 of 15 (1,504 Views)

Re: decode contents of wtmp file

Yes it does, but only from february this year and I have already made a copy of it.

 

regards

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation