Re: last returns no login info (259 Views)
Reply
Trusted Contributor
Michael Sillers
Posts: 103
Registered: ‎11-19-2004
Message 1 of 15 (259 Views)
Accepted Solution

last returns no login info

I am trying to use the last command and it returns only "wtmp begins Sat Feb 28 08:04". lastb seems to return into from this file (lastb -f /var/adm/wtmp) but it doesn't look right. Does anyone have any ideas how I can get the last login info?

Thanks.
Please use plain text.
Honored Contributor
Rita C Workman
Posts: 3,791
Registered: ‎08-03-2000
Message 2 of 15 (259 Views)

Re: last returns no login info

They may be corrupt. You could null them out...

> /var/adm/wtmp
> /var/adm/btmp

You didn't mention O/S version, so if it's 11.23 or 11.31 just make it wtmps/btmps

Regards,
Rita
Please use plain text.
Honored Contributor
Mel Burslan
Posts: 3,213
Registered: ‎08-26-1998
Message 3 of 15 (259 Views)

Re: last returns no login info

[ Edited ]

check the file sizes of wtmp and btmp files. if they are zero or close to zero, most probably they were not logging data for a while and what is inside these files (they are binary files and need additional applications to be read, not ascii text. Keep this in mind) is not of any use. If this is the case, just re-create the files with :

> wtmp
> btmp

commands. If you think that there still is some valuable data in them that you want to hang on to, please follow instructions of Robert Jan Gosseens in the following old post:

http://h30499.www3.hp.com/t5/System-Administration/corrupted-btmp-wtmp/m-p/3124344#M151595

 

hope this helps

________________________________
UNIX because I majored in cryptology...
Please use plain text.
Trusted Contributor
Michael Sillers
Posts: 103
Registered: ‎11-19-2004
Message 4 of 15 (259 Views)

Re: last returns no login info

Thanks for the responses. That got them last working again. fwtmp gives some info but a lot of gibberish so I don't think it will be useful. There are dates ranging from 1910 to 1970 which isn't particularly useful. Strange though - the same thing happened on two servers. Can anyone suggest a way to prevent this from happening?
Please use plain text.
Honored Contributor
Mel Burslan
Posts: 3,213
Registered: ‎08-26-1998
Message 5 of 15 (259 Views)

Re: last returns no login info

My advice would be taking nightly backup copies of these files and comparing making sure, every morning when you report to work, these files are still in good condition by running last and lastb commands. When you have a failure, you can go back to the file from a night ago, at the same time, investigate what happened and who messed with these files.

Unless they got huge (in the order of gigabytes) they do not get corrupted by themselves. Usually someone who doesn't really know what he or she is doing, who heard the login info kept in these files, trying to cover their tracks when they did something bad, might mess with the file assuming it is an ascii file, by trying to edit it with vi and saving it while in vi, end up corrupting the file.

Make sure you keep one or two day's worth of copies of these two files somewhere obscure and make sure their sizes don't get too big. Then you should be in good shape.
________________________________
UNIX because I majored in cryptology...
Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,879
Registered: ‎03-06-2006
Message 6 of 15 (259 Views)

Re: last returns no login info

If you haven't nulled out the file, you might be able to recover the info. How important is it?
Please use plain text.
Trusted Contributor
Michael Sillers
Posts: 103
Registered: ‎11-19-2004
Message 7 of 15 (259 Views)

Re: last returns no login info

It would be nice to be able to recover the information. I have nulled it but not before making a backup.
Please use plain text.
Trusted Contributor
Michael Sillers
Posts: 103
Registered: ‎11-19-2004
Message 8 of 15 (259 Views)

Re: last returns no login info

I've just checked and the new file seems to have gone corrupt since I nulled it yesterday. I've attached a copy of the file in case anyone wants to take a look.
Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,879
Registered: ‎03-06-2006
Message 9 of 15 (259 Views)

Re: last returns no login info

>I've attached a copy of the file

This is a binary file. How did you attach it?
Using xd(1) I see \r \n as if the file was sent to Windows as a text file, inserting CR before LF.
Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,879
Registered: ‎03-06-2006
Message 10 of 15 (259 Views)

Re: last returns no login info

You neglected to mention your HP-UX version. it seems you are on 11.11 and you attached /var/adm/wtmp?
Please use plain text.
Trusted Contributor
Michael Sillers
Posts: 103
Registered: ‎11-19-2004
Message 11 of 15 (259 Views)

Re: last returns no login info

Here's another copy of wtmp - this time I made sure I transferred in binary.

Our HPUX is 11.11
Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,879
Registered: ‎03-06-2006
Message 12 of 15 (259 Views)

Re: last returns no login info

>Here's another copy of wtmp - this time I made sure I transferred in binary.

Much better. It appears there is an initial newline that needs to be removed:
$ dd if=366905.null of=wtmp.fix bs=1 count=908220 skip=1

(Unfortunately this bs=1 makes dd(1) very slow.)

This wtmp.fix seems to give good Jan 18 timestamps.
Please use plain text.
Trusted Contributor
Michael Sillers
Posts: 103
Registered: ‎11-19-2004
Message 13 of 15 (259 Views)

Re: last returns no login info

Thanks all for your help. The dd has fixed it and also helped me locate the problem. A previous administrator had been incorrectly truncating the file using a script called by cron.
Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,879
Registered: ‎03-06-2006
Message 14 of 15 (259 Views)

Re: last returns no login info

>incorrectly truncating the file

echo > /var/adm/wtmp
vs:
> /var/adm/wtmp # ?
Please use plain text.
Trusted Contributor
Michael Sillers
Posts: 103
Registered: ‎11-19-2004
Message 15 of 15 (259 Views)

Re: last returns no login info

echo "" > /var/adm/wtmp. Puts a line feed character that last doesn't recognize.
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation