Thanks to: Steve Mickeler Chintu Casper Dik Scott Davis Basically the wtmpx file got corrupted. Renaming the file and creating a new one is the easiest solution. How did it get corrupted? Probably at some point /var filled up and an incomplete entry was written to wtmpx. Thanks, Doug ----- from Caspar Dik: An overflow of /var which causes wtmpx to be truncated on a size that is not a multiple of sizeof(wtmpx); the new records are added but last can't find them. Casper ----- from Scott Davis: On a SPARC / Solaris 2.5.1 system I had a similar problem. This email that I sent to my colleagues explains what I found and how I fixed it. I hope it's helpful to you. Scott Davis * * * * * * * Has anyone issued the command 'last' on <hostname> and been surprised to see a history ending Oct 26, claiming that <username> is still logged in since Oct 25 (2000)? I looked into it and this is what I found. Four files in /var/adm are used to keep track of user activity: utmp - current activity (short form, 36 bytes/record) wtmp - history (short form, 36 bytes/record) utmpx - current activity (extended form, 372 bytes/record) wtmpx - history (extended form, 372 bytes/record) Looking at the file sizes, I saw that wtmp was an even multiple of 36 bytes, but that wtmpx was 48 bytes shy of the same multiple of 372 bytes. I wrote a tiny ad hoc program to read wtmpx and print each entry with a line number. After line 14203, it printed garbage. So I fired up emacs on a copy of wtmpx, skipped ahead 14203 * 372 characters, and deleted 324 characters -- an incomplete entry for something called "sac". Now 'last' can read the whole file and give an up-to-date history. I saved the corrupted file as /var/adm/bad_wtmpx. This doesn't explain how the file got corrupted -- but the very next entry after the incomplete one is for "shutdown". Maybe somebody ran a job that filled up /var/tmp just as /var/adm/utmpx was being updated, and noticed that the system was wedged and rebooted it. Plausible? > -----Original Message----- > From: Granzow, Doug (NCI) > Sent: Friday, March 01, 2002 11:49 AM > To: 'sunmanagers@sunmanagers.org' > Subject: last gives wrong output > > > I have a Solaris 8 SPARC system which is displaying outdated > info when I do > a "last". > > [ users and hosts sanitized ] > > bash-2.03# last -10 > root pts/1 12-34-567-89.mc. Sun Dec 2 20:49 - > 21:01 (00:12) > root pts/1 12-34-567-89.mc. Sun Dec 2 11:33 - > 14:56 (03:22) > root pts/2 hostname.nci.nih Thu Nov 29 15:20 - > 15:27 (00:07) > root pts/1 hostnam.nci.nih. Thu Nov 29 14:14 - > 16:19 (02:05) > username pts/1 hostn.nci.nih.go Thu Nov 29 12:55 - > 12:55 (00:00) > username pts/1 hostn.nci.nih.go Thu Nov 29 12:54 - > 12:54 (00:00) > root pts/1 hostnam.nci.nih. Wed Nov 28 14:30 - > 15:38 (01:08) > root pts/1 hostnam.nci.nih. Wed Nov 28 14:19 - > 14:22 (00:02) > root pts/1 hostname.nci.nih Tue Nov 27 13:25 - > 16:32 (03:07) > root pts/1 hostname.nci.nih Tue Nov 27 13:24 - > 13:24 (00:00) > bash-2.03# date > Fri Mar 1 11:45:28 EST 2002 > bash-2.03# ls -l /var/adm/wt* > -rw-r--r-- 1 root other 55728 Mar 1 11:37 /var/adm/wtmp > -rw-r--r-- 1 adm adm 939800 Mar 1 11:40 /var/adm/wtmpx > > wtmp and wtmpx have current timestamps and are growing, but > "last" output is > from last year. Any ideas what might be causing this? > _______________________________________________ > sunmanagers mailing list > sunmanagers@sunmanagers.org > http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri Mar 1 12:07:16 2002
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:35 EST