UNIX for Dummies Questions & Answers

I have 2 boxes running HP-UX B.11.23 U ia64, one production, one development.

I just found out that "last" is not working on the production machine. After some investigation, I find that the /var/adm/wtmps file has been allowed to grow and then has not been touched since Dec 2007. /var/adm/wtmp shows a recent date but no history.
Production:

Code:

-rw-------   1 root       other            0 Apr 21 14:12 btmp
-rw-------   1 root       other      1053726540 Apr 22 10:23 btmps
-rw-rw-r--   1 adm        adm            240 Apr 22 09:11 wtmp
-rw-rw-r--   1 adm        adm        2147483647 Dec 12  2007 wtmps
-rw-r--r--   1 root       sys            280 Feb  8 01:39 wtmpx

Everything works fine on the development machine.
Development:

Code:

-rw-------   1 root       other         6660 Apr 21 16:57 btmp
-rw-------   1 root       other      1476128 Apr 21 16:57 btmps
-rw-rw-r--   1 adm        adm         120960 Apr 21 16:59 wtmp
-rw-rw-r--   1 adm        adm        196278732 Apr 22 10:00 wtmps
-rw-r--r--   1 root       sys            280 Apr  7 18:06 wtmpx

I'm assuming all I need to do in production is cat /dev/null > /var/adm/wtmps to fix this. Is that correct?

But I'm more concerned going forward. Evidently, I need to set up some sort of archive and clean up process for this file.

I've looked around here but have some questions I couldn't find answers to.

1) what is the difference between /var/adm/wtmp and var/adm/wtmps?
2) what is the best way to copy off this log? Can I still use the command last on a copy?
3) I'm trying some commands on the development box and am getting bad results. If I use the command last, it works fine. If I try to use the command last with the -f switch I get the error: pid exceeds MAXPID: wtmp file corrupted.
4) Whatever the answers are for wtmps is the same true for btmps?

1) man 4 wtmps
2) To copy the wtmps or btmps, just use ordinary "cp -p" to a new filename. Then null as you describe.
You can use "last -f" or "lastb -f" respectively on an uncorrupted copy.
3) Your wtmps file on the production server is perilously close to 2Gb and may already be corrupted. The timestamp suggests that it broke in December.
See "man wtmpfix", but beware that the text version of wtmps files is bigger than the original and it may be better to filter repair data by date.
4) Use program "last" on a wtmps file and program "lastb" on a btmps file. Otherwise all comments apply to both.


Footnotes:
Your "btmps" file on the production server is remarkably large. Well worth analyzing with btmp to find out why there are so many failed logins. last time I saw this it was a frequent cron for an expired account!

We archive these files weekly and keep a few weeks for analysis.

It seems I never responded here.

Thank you.