Solaris

Dear Solaris Experts,

The file /var/adm/utmpx is steadily growing on our standbye Sun Sparc T5220 Solaris 10 server. I have tried everything such as the following steps without success:

Code:

 
root@rainbow # uname -a
SunOS rainbow 5.10 Generic_141444-09 sun4v sparc SUNW,SPARC-Enterprise-T5220
root@rainbow # cd /var/adm
root@rainbow # cp /dev/null utmpx     # but size stays the same and growing
root@rainbow # cp /dev/null wtmpx     # file size briefly came back to zero                                               # before recovering
root@rainbow # ls -lt /var/adm | more
-rw-r--r--   1 root     root       24180 Apr 12 15:23 wtmpx
-rw-r--r--   1 root     root     364035476 Apr 12 15:23 utmpx
root@rainbow # /cat /etc/default/utmp
SCAN_PERIOD=300
root@rainbow # svcs utmp
STATE          STIME    FMRI
online         15:22:20 svc:/system/utmp:default
root@rainbow # svcadm disable utmpd
root@rainbow # svcs utmp
STATE          STIME    FMRI
disabled       15:59:44 svc:/system/utmp:default

In short, I am not able to turn off, or reduce the amount of auditing / login data
it is rapidly collecting. In fact, I can no longer log back on to it with the
following message after successful login using a non-root user from a general
multi-user mode telnet session:
login: george
Password:
No utmpx entry. You must exec "login" from the lowest level "shell".
<Your 'TELNET' connection has terminated>

Fortunately, it was possible to get back into this server in single-user maintenance mode as root on the Console. The only way to re-instate multi-user mode access is by rebooting this server but still not reduce the amount of auditing / login which will eventually fill up /var.

The strange thing is that our production (equivalent hardware) accessed extensive with the same SCAN_PERIOD is not experiencing this issue. I am not sure whether the standbye rainbow server has been split up to multiple zones has anything to do with it. ie rainbow being the global zone.
Your assistance would be much appreciated.
Thanks in advance,
George

How are you getting console? Through the ILOM?
What is the results of running these commands: df -h and du -sh *

Here are some links that might help you out.
Chapter 28 Solaris Auditing (Overview) (System Administration Guide: Security Services)
Less known Solaris features: Auditing - c0t0d0s0.org

I hope this helps.

Dear bitlord,

Thank you for your valuable response. I am still digesting these material.

Yes, I got in through ILOM and was able to restore login access after having rebooted this server. Also found that by removing /var/adm/utmpx instead of cp /dev/null the same file has kept it size down to minimal and hence able to logon to it much quicker.

There were no disk space shortages on the server.

Cheers,

George