Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: WTMPX File corrupted
Operating Systems Solaris WTMPX File corrupted Post 302592503 by sebofo on Tuesday 24th of January 2012 04:54:58 AM
Old 01-24-2012
Corrupt wtmpx fixing
In my experience, a corrupt wtmpx (or wtmp) file is ususally due to a write to the file being interrupted in the middle of writing a record. This means that log entries after this event will be shifted a number of bytes which are not a whole record.
The file has fixed-lenghth records. When reading the file from start, and the file is corrupted, there is somewhere a record which is shorter than the record length, and the reading program gets out of synch with the records.
So the way to fix the file is to find and remove the incomplete record. This can be done in a binary-capable editor such as Emacs (I have used that), where you look for recurring patterns to find the start of records, and when you find the short record you remove that and save the file. Formatting it with fwtmp will aid you in finding the number of records you need to pass before reaching the faulty record.
Possibly a simpler method would be to use dd in intelligent ways to first read the uncorrupted part of the file and then skip an offset of a number of bytes until you get output which can be formatted correctly by fwtmp.
What I am getting at is that you don't have to throw away the last part of the file, the information can be recovered by using my method.
Last edited by sebofo; 01-24-2012 at 05:56 AM.. Reason: Added info
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

how to delete entry in file "wtmpx"(/var/adm/wtmpx)

Do someone know how to delete entry(some lines) in file "wtmpx" that command "last" use it. this file is binary so I cannot edit directy. ========================= #last root pts/1 noc Fri Mar 3 22:04 still logged in root pts/1 noc Fri Mar 3 22:01 - 22:02 ... (4 Replies)
Discussion started by: arm_naja
4 Replies

2. UNIX for Dummies Questions & Answers

wtmpx file

Hello everybody: the wtmpx file on my Sol8 machine, got so big (2GB), that my root partition is almost full now, can I empty that file, I read about it that it contains database of user access and auditing, so in case I emptied it will it affect my system?? Thanks alot (3 Replies)
Discussion started by: aladdin
3 Replies

3. Solaris

wtmpx file is too big

Hi, I am using Sun Solaris 5.9 OS. I have found a file called wtmpx having a size of 5.0 GB. I want to clear this file using :>/var/adm/wtmpx. My query is, would it cause any problem to the running live system. Could anyone suggest the best method to clear the file without causing problem to... (6 Replies)
Discussion started by: Vijayakumarpc
6 Replies

4. UNIX for Advanced & Expert Users

wtmpx file is not updating

Hi in my solaris 9 system wmptx file is not updating so it is not recording any login or logout or any other entry. can any one tell me how to solve this problem (0 Replies)
Discussion started by: aaysa123
0 Replies

5. Solaris

wtmpx file

What could possibly happen if wtmpx file got deleted by mistake? Thanks, (8 Replies)
Discussion started by: Pouchie1
8 Replies

6. Solaris

wtmpx corrupted ? fix ...

Hi, saw couple threads about wtmpx corruption, I had this problem on many servers, last command was not working or displaying old output, found good information on a thread on this site and wrote a perl script to fix, thought it might help some people. I found that using wtmpfix I lost many... (0 Replies)
Discussion started by: yannm
0 Replies

7. UNIX for Advanced & Expert Users

Not logging ftp connections in /var/adm/wtmpx file (in last command output)

Hi all, I have F5 load balancer on my system and checking service status by opening an ftp session in every 30 seconds. These ftp sessions are being logged in /var/adm/wtmpx and filling up the file. when i run the last command most of the output is this ftp session. I was wondering if there is a... (1 Reply)
Discussion started by: cepxat
1 Replies

8. Solaris

Something is removing/deleting my wtmpx file?

hi, we have a solaris 10 box that was handled by a different sysadmin before & now it is turned over to us for system administration. our concern is that if we issue the "last" command, it usually says "wtmp begins current day current month date 02:30". just like this "wtmp begins Thu Mar 7... (6 Replies)
Discussion started by: booghaw
6 Replies

9. Solaris

Wtmpx File Permissions Question

Hi all, I have been tasked to change permissions on the wtmpx file to 640. Currently the permissions are at 644. My question is will anything be affected if I change the permissions as shown? Thanks in advance. Derek (2 Replies)
Discussion started by: Derk Berk
2 Replies

10. UNIX for Advanced & Expert Users

Getting information from the wtmpx file

Hi, I tried running the command "last" in the server to check the users that were last logged into the system. However, I get this error : root@csidblog:# last /var/adm/wtmpx: Value too large for defined data type How do I proceed to get this info? I read some forums suggesting to use... (2 Replies)
Discussion started by: anaigini45
2 Replies

LEARN ABOUT OSF1

fwtmp

fwtmp(8)						      System Manager's Manual							  fwtmp(8)

NAME

       fwtmp, acctwtmp, wtmpfix - Modify connect time accounting records to change formats and to make corrections in the records

SYNOPSIS

       fwtmp [-ic]

       acctwtmp 'Reason'

       wtmpfix [File . . .]

FLAGS

       The  fwtmp command accepts ASCII records in the type utmp structure format as input.  The fwtmp command converts output to type utmp struc-
       ture formatted binary records.  The fwtmp command converts ASCII type utmp structure formatted input records to binary output records.

DESCRIPTION

   fwtmp [-ic]
       The fwtmp command reads records from standard input and writes records to standard output. Normally, information in record  fields  of  the
       /var/adm/wtmp  file is entered as binary data by the init and login programs during the life of the /var/adm/wtmp file. These /var/adm/wtmp
       file records have nine fields formatted according to members of a type utmp structure defined in the utmp.h include file. The fwtmp command
       is also capable of writing properly formatted ASCII records from standard input into a file when you use the -i flag.

       Whenever  you enter properly formatted ASCII records for conversion to binary records using the -i flag from the standard input device, you
       must enter data for each field of the 9-field record in the same order as that of type utmp structure members using a space as a field sep-
       arator.	The  following table lists record fields in the order they should be entered, the type utmp structure member name, and the purpose
       and entry character length.  The user login name, which must have exactly sizeof(ut_user) characters.  The  inittab  ID,  which	must  have
       exactly	sizeof(ut_id) characters.  The device name, which must have exactly sizeof(ut_line) characters.  The process ID, which must have 5
       decimal places.	The type of entry, which must have 2 decimal places. The type of entry may have any one of several symbolic constant  val-
       ues.  The symbolic constants are defined in the utmp.h header file.  The process termination status, which must have 4 decimal places.  The
       process exit status, which must have 4 decimal places.  The starting time, which must have 10 decimal places.   The  hostname,  which  must
       have exactly sizeof(ut_host) characters.

       All record field entries you make from standard input must be separated by a space. Also you must fill all string fields with blank charac-
       ters up to the maximum string size. All decimal values must have the specified number of decimal places with preceding 0s (zeros)  to  fill
       empty digit positions. The actual size of character arrays can be found in the utmp.h include file.

   acctwtmp 'Reason'
       The acctwtmp command is called by the runacct shell procedure to write a utmp formatted record to standard output with the current date and
       time together with a 'Reason' string (sizeof(ut_line) characters or less) that you must also enter.

   wtmpfix [File ...]
       The wtmpfix command is called by the runacct shell procedure to examine standard input or File records in the  wtmp  format  for  corrupted
       date  and  timestamp  entries.  Whenever a corrupted entry is detected, the wtmpfix command corrects date and timestamp inconsistencies and
       writes corrected records to standard output. Whenever the acctcon1 command runs, and a date and timestamp in a /var/adm/wtmp file is incor-
       rect,  an  error  is  generated	when  the  first corrupted entry is encountered. The acctcon1 process is aborted whenever such an error is
       detected.

       The wtmpfix command also checks the validity of the name field to ensure that the name consists only of alphanumeric characters, a $  (dol-
       lar  sign),  or spaces. Whenever an invalid name is detected, the wtmpfix command changes the login name to INVALID and writes a diagnostic
       message to standard error. In this way, the wtmpfix command reduces the likelihood that the acctcon2 command may fail.

       Each time a date is entered (on system startup or with the date command) a pair of date-change records  is  written  to	the  /var/adm/wtmp
       file.  The  first date-change record is the old date, which is entered with the string old time (the OTIME_MSG string) in the ut_line field
       and the flag OLD_TIME in the ut_type field. The second record is the new date, which is entered with the string	new  time  (the  NTIME_MSG
       string) in the ut_line field and the flag NEW_TIME in the ut_type field. The wtmpfix command uses these records to synchronize all date and
       time stamps in the /var/adm/wtmp file. The date-change record pair is then removed.

RESTRICTIONS

       You should not use the fwtmp command to correct connect-time accounting records because the utmp structure format members are  not  in  the
       correct order for this operation.

EXAMPLES

       To  convert  binary  /var/adm/wtmp records in type utmp structure format to an ASCII file called dummy.file, enter a command similar to the
       following: /usr/sbin/acct/fwtmp < /var/adm/wtmp > dummy.file The content of  binary  file  /var/adm/wtmpfile  as  input	is  redirected	to
       dummy.file  as  ASCII  output.	To  convert  records  in  an  ASCII  type  utmp  structure  formatted  file to a binary output file called
       /var/adm/wtmp, enter an fwtmp command with the -ic flag similar to the following: /usr/sbin/acct/fwtmp -ic < dummy.file > /var/adm/wtmp The
       content of ASCII file dummy.file as input is redirected to binary file /var/adm/wtmp as output.

FILES

       Specifies  the  command	path.	Specifies the command path.  Specifies the command path.  Header file defining structures used to organize
       login information.  Database file for currently logged in users.  Login/logout database file.

RELATED INFORMATION

       Commands:  acct(8), acctcon(8), acctmerg(8), date(1), runacct(8)

       Functions: acct(2) delim off

																	  fwtmp(8)
All times are GMT -4. The time now is 11:13 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy