Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
If you want to try to preserve previous bad login attempts, you will need to make use of the
'fwtmp' command:
# /usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.tmp
# vi /tmp/wtmp.tmp # Clean up records
# /usr/bin/acct/fwtmp -ic < /tmp/wtmp.tmp > /var/adm/wtmp
# rm /tmp/wtmp.tmp
etc.
But I still have a problem with (last) command that is read successful comand from /var/adm/
wtmps???
I am trying to use the command last and lastb to check on successfull and unsuccessfully logings,
and I got the following result>
#last -R 10
Invalid record size. Unable to continue ...
and
lastb -R 10
http://h30499.www3.hp.com/t5/System-Administration/last-command-amp-wtmps/td-p/4615210
In this post Robert Jan come up with a solution, but I woud like to understand the contents of the
files, like the output of the :
/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.tmp
You should be looking a wtmps, not wtmp. And you may need to use -X.
I did use the -X but I had a successfully output when using lastb -X, and I had the same error when
using last -X, which was :
last -X
Invalid record size. Unable to continue ...
You can find a description of the contents of the wtmp and wtmps files in the system man pages:
please run "man 4 wtmp" and "man 4 wtmps", respectively.
The output of the fwtmp/fwtmps commands should normally be similar to the actual wtmp/wtmps
file structure, but with all the binary fields translated into human-readable ASCII.
However, the error message "invalid record size" from the "last" command and the confused–look
ing contents of your wtmps.tmp file (Dates for year 1970?? Loopback IP addresses like
127.255.214.224???) suggest that your wtmps file was corrupted at some point.The corruption
would cause the fwtmps tool to go out of sync with the entries and mis-interpret them.
If you want to extract meaningful information from the file, you may have to find the corrupted
entry/entries in your original binary wtmps file and remove them (probably with some hex editor)
and then re-run the file through the fwtmps command.
If the wtmps file is large, finding and recognizing the corrupted entries may be a difficult and
tedious job.
The error won't go away since the file has been corrupted. You could use tusc to see how much of
the file is bad.
>Now when using: /usr/sbin/acct/fwtmps < /var/adm/wtmps > /tmp/wtmps.tmp
>the contents of wtmps.tmp are:
13135 0 0000 63164 825438515 Feb 27 18:28:35 1996 127.255.214.224 5
If you use tusc on last(1), you'll see this pattern before it aborts:
[11273] open("/var/adm/wtmps", O_RDONLY, 0) .............. = 4
...
The file is binary, there are no lines. You'll need to use dd(1) to copy from the end:
#!/usr/bin/ksh
# Dump out last 20 records of wtmps file
WTMP=/var/adm/wtmps
typeset -i wtmpsize=$(ll $WTMP | awk '{print $5 }')
typeset -i wtmprecord=$((648+4))
typeset -i wtmpdump=$((wtmprecord * 20))
echo "$wtmprecord: $((wtmpdump))"