Re: last returns no login info (397 Views)
Reply
Trusted Contributor
Posts: 103
Registered: ‎11-19-2004
Message 1 of 15 (397 Views)
Accepted Solution

last returns no login info

I am trying to use the last command and it returns only "wtmp begins Sat Feb 28 08:04". lastb seems to return into from this file (lastb -f /var/adm/wtmp) but it doesn't look right. Does anyone have any ideas how I can get the last login info?

Thanks.
Honored Contributor
Posts: 3,790
Registered: ‎08-03-2000
Message 2 of 15 (397 Views)

Re: last returns no login info

They may be corrupt. You could null them out...

> /var/adm/wtmp
> /var/adm/btmp

You didn't mention O/S version, so if it's 11.23 or 11.31 just make it wtmps/btmps

Regards,
Rita
Honored Contributor
Posts: 3,214
Registered: ‎08-26-1998
Message 3 of 15 (397 Views)

Re: last returns no login info

[ Edited ]

check the file sizes of wtmp and btmp files. if they are zero or close to zero, most probably they were not logging data for a while and what is inside these files (they are binary files and need additional applications to be read, not ascii text. Keep this in mind) is not of any use. If this is the case, just re-create the files with :

> wtmp
> btmp

commands. If you think that there still is some valuable data in them that you want to hang on to, please follow instructions of Robert Jan Gosseens in the following old post:

http://h30499.www3.hp.com/t5/System-Administration/corrupted-btmp-wtmp/m-p/3124344#M151595

 

hope this helps

________________________________
UNIX because I majored in cryptology...
Trusted Contributor
Posts: 103
Registered: ‎11-19-2004
Message 4 of 15 (397 Views)

Re: last returns no login info

Thanks for the responses. That got them last working again. fwtmp gives some info but a lot of gibberish so I don't think it will be useful. There are dates ranging from 1910 to 1970 which isn't particularly useful. Strange though - the same thing happened on two servers. Can anyone suggest a way to prevent this from happening?
Honored Contributor
Posts: 3,214
Registered: ‎08-26-1998
Message 5 of 15 (397 Views)

Re: last returns no login info

My advice would be taking nightly backup copies of these files and comparing making sure, every morning when you report to work, these files are still in good condition by running last and lastb commands. When you have a failure, you can go back to the file from a night ago, at the same time, investigate what happened and who messed with these files.

Unless they got huge (in the order of gigabytes) they do not get corrupted by themselves. Usually someone who doesn't really know what he or she is doing, who heard the login info kept in these files, trying to cover their tracks when they did something bad, might mess with the file assuming it is an ascii file, by trying to edit it with vi and saving it while in vi, end up corrupting the file.

Make sure you keep one or two day's worth of copies of these two files somewhere obscure and make sure their sizes don't get too big. Then you should be in good shape.
________________________________
UNIX because I majored in cryptology...
Acclaimed Contributor
Posts: 25,538
Registered: ‎03-06-2006
Message 6 of 15 (397 Views)

Re: last returns no login info

If you haven't nulled out the file, you might be able to recover the info. How important is it?
Trusted Contributor
Posts: 103
Registered: ‎11-19-2004
Message 7 of 15 (397 Views)

Re: last returns no login info

It would be nice to be able to recover the information. I have nulled it but not before making a backup.
Trusted Contributor
Posts: 103
Registered: ‎11-19-2004
Message 8 of 15 (397 Views)

Re: last returns no login info

I've just checked and the new file seems to have gone corrupt since I nulled it yesterday. I've attached a copy of the file in case anyone wants to take a look.
Acclaimed Contributor
Posts: 25,538
Registered: ‎03-06-2006
Message 9 of 15 (397 Views)

Re: last returns no login info

>I've attached a copy of the file

This is a binary file. How did you attach it?
Using xd(1) I see \r \n as if the file was sent to Windows as a text file, inserting CR before LF.
Acclaimed Contributor
Posts: 25,538
Registered: ‎03-06-2006
Message 10 of 15 (397 Views)

Re: last returns no login info

You neglected to mention your HP-UX version. it seems you are on 11.11 and you attached /var/adm/wtmp?
Trusted Contributor
Posts: 103
Registered: ‎11-19-2004
Message 11 of 15 (397 Views)

Re: last returns no login info

Here's another copy of wtmp - this time I made sure I transferred in binary.

Our HPUX is 11.11
Acclaimed Contributor
Posts: 25,538
Registered: ‎03-06-2006
Message 12 of 15 (397 Views)

Re: last returns no login info

>Here's another copy of wtmp - this time I made sure I transferred in binary.

Much better. It appears there is an initial newline that needs to be removed:
$ dd if=366905.null of=wtmp.fix bs=1 count=908220 skip=1

(Unfortunately this bs=1 makes dd(1) very slow.)

This wtmp.fix seems to give good Jan 18 timestamps.
Trusted Contributor
Posts: 103
Registered: ‎11-19-2004
Message 13 of 15 (397 Views)

Re: last returns no login info

Thanks all for your help. The dd has fixed it and also helped me locate the problem. A previous administrator had been incorrectly truncating the file using a script called by cron.
Acclaimed Contributor
Posts: 25,538
Registered: ‎03-06-2006
Message 14 of 15 (397 Views)

Re: last returns no login info

>incorrectly truncating the file

echo > /var/adm/wtmp
vs:
> /var/adm/wtmp # ?
Trusted Contributor
Posts: 103
Registered: ‎11-19-2004
Message 15 of 15 (397 Views)

Re: last returns no login info

echo "" > /var/adm/wtmp. Puts a line feed character that last doesn't recognize.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.