wtmpx question

[reinstalled]

Hi all,

Is there a way to selectively stop writing of certain events (ftp in this case) to wtmpx?

If not is the rcommendation to zero out the file at intervals using a cron job or truncating it?
Or should I stop accounting altogether?

Thanks

 

[daFranze]

do you have a sunsolve online account?
pls refere to

http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-25-10516-1

Document Audience: SPECTRUM
Document ID: 10516
Title: WTMP/WTMPX: how to truncate wtmp and wtmpx
Update Date: Fri Apr 19 00:00:00 MDT 2002
Products: Solaris

Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years in the domain of the OS, Backup and Storage

 

[reinstalled]

I don't have an on-line account as now Sunsolve wants
only paying members with a service plan. All my clients have service plans, not us.

But on to truncating, If I do truncate what shall I do with the truncated file?

 

[marrow]

If try the quick & dirty method rm/zero out the file. Nothing will go there until the next reboot.

 

[kHz]

cat /dev/null /var/adm/wtmpx

 

[reinstalled]

Thanks for the info,

This is zeroing out the file and I can do that if we
decide that's the right thing to do.

So, if I can't selectively exclude FTP entries from
being written then I guess it's a choice between
truncating and zeroing out the file.
Question, what exactly will I NOT be able to see if I zero it out?

 

[marrow]

The file wtmpx contains the history of user access and administrative information.

The last command looks in the /var/adm/wtmpx file, which
records all logins and logouts, for information about a
user, a terminal, or any group of users and terminals.

So the last command will be useless for a start.

 

[reinstalled]

That's what I thought.

So truncating may be the answer but I still need suggestions as to what to do with the truncated file?

Thanks

 

[kHz]

You don't want to remove it with 'rm'.

Do:

cat /dev/null /var/adm/wtmp
cat /dev/null /var/adm/wtmpx

or use perl to truncate:

#!/bin/perl
truncate("/var/adm/wtmp",100);
truncate("/var/adm/wtmpx",100);

where 100 is the byte count, or zero to empty it completely.

 

[daFranze]

To shorten the files only partially, use the dd command with the skip
and ibs arguments to tell dd how many records to skip, and how long each
record is, respectively. The ibs argument should be set to 36 for wtmp,
and 372 for wtmpx. Skip can be any number, but should be the same for
both files.

Note: The last command shows ABOUT half of the wtmpx entries
in its output, as two entries are often on 1 line of
the output, and some entries are not shown.


The script below will automatically shorten the files, so there is no
need to use dd directly.

Note: Given an argument of 0, this script will also empty the
file, if so desired.

DISCLAMER: This script should be run at your own risk. This script is not
supported by Sun Microsystems, Inc.


---------------------------------------------------------------
#!/bin/sh
#
# wtmp .truncate (/usr/adm/wtmp.truncate) -
# truncate old records off of wtmp and wtmpx
#
#
# This script was written by David Lindes, lindes@netcom.com
# (c) Copyright 1994 by David Lindes.
#
# Permission to copy this script as wanted/needed is granted,
# provided that it is distributed in its ENTIRETY, including
# this copyright notice and disclaimer, all comments, and the
# complete script. Modifications may be made to the default
# values of the TMPDIR, WDIR, KEEP and FILES variables, but any
# other modifications will be considered a violation of the
# copyright agreement.
#
# No distribution of this script should be for any monetary or
# compensatory charge without prior written consent of the
# author.
#
# The default values given were written for the Solaris 2.3
# (SunOS 5.3) operating system, and should be verified before
# use on any other operating system.
#
# NO GUARANTEE IS GRANTED AS TO THE BEHAVIOR OF THIS SCRIPT, AND
# NO WARRANTY SHALL BE ISSUED, IMPLIEDOR OTHERWISE, BY THE AUTHOR,
# BY SUN MICROSYSTEMS, OR BY ANY OTHER INDIVIDUAL OR COMPANY.
#
# USE THIS SCRIPT AT YOUR OWN RISK!!!!
#
# (Though comments for improvement are welcome at the above
# e-mail address.)


# Diagnostics:
# Arguments:
# optional - number of records to keep
# or, if negative, to skip.
# default: 60 ($KEEP)
#
# Exit codes:
# 0 - Successful completion
# 1 - No truncation needed with current $KEEP
# 2 - Error from cp detected
# 3 - Error from dd detected
#
# Notes:
# This script will make a backup of your files in $TMPDIR
# unless there is no truncation to be made, or there is an
# error and it bails out.

# Directory to store the temporary copies of the files:
# (originally /tmp)
TMPDIR=/tmp

# Directory where the realfiles are stored:
# (originally /var/adm)
WDIR=/var/adm

# List of files with record sizes, used for the for loop
# (originally "wtmp:36 wtmpx:372")
FILES="wtmp:36 wtmpx:372"

# Number of records to keep if not modified by argument:
# (originally 60, or $1 if argument given)
KEEP=${1:-60}


case "$KEEP" in
-*)
# set skip size for negative arguments
SKIP=`echo $KEEP | cut -c2-`
;;
+*)
# accept explicit positives
KEEP=`echo $KEEP | cut -c2-`
unset SKIP
;;
*)
unset SKIP
;;
esac

# get the proper values, since $FILES is customizable.
# these lines get the first entry in $FILES
WTMPFILE=`echo $FILES | cut -d: -f1`
WTMPSIZE=`echo $FILES | sed 's/^[^:]*:\([^ ]*\).*$/\1/'`

FILESIZE=`ls -lL $WDIR/$WTMPFILE | awk '{print$5}'`
# obtain thefilesize of w tmp
# for later calculations

NUMRECS=`expr $FILESIZE / $WTMPSIZE` # Store the size of the
# utmp file, in records

SKIP=${SKIP:-`expr $NUMRECS - $KEEP`}
# number of records to skip, based on
# $KEEP vs. number of records in the
# wtmp file.

if [ $SKIP -le 0 ]
then
exit 1 # nothing to truncate
fi

for PAIR in $FILES # Pair of filename and block size
do
FILE=`echo $PAIR | cut -d: -f1` # extract filename
IBS=`echo $PAIR | cut -d: -f2` # extract record size
cp $WDIR/$FILE $TMPDIR/$FILE # copy original to tmp

STATUS=$?
case $STATUS in
0)
;;
*)
echo "cp error #$STATUS, bailing out during $FILE." >&2
exit 2
;;
esac

if [ $SKIP -ge $NUMRECS ]
then
> $WDIR/$FILE
else
dd if=$TMPDIR/$FILE of=$WDIR/$FILE ibs=$IBS skip=$SKIP 2> /dev/null
# do the truncation
fi

STATUS=$?
case $STATUS in
0)
;;
*)
echo "dd error#$STATUS, bailing out after $FILE." >&2
exit3
;;
esac

done

exit 0.


Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years in the domain of the OS, Backup and Storage

 

[KenCunningham]

Wow, this has got way more complicated than I thought it would! By the way kHz is:

cat /dev/null /var/adm/wtmpx

the same as:

cat /dev/null > /var/adm/wtmpx

?

 

[daFranze]

yes it is more complex than thought

Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years in the domain of the OS, Backup and Storage

 

[kHz]

Yeah, I forgot the >

 

[reinstalled]

Wow, this has gotten a bit complex.
I have what I need for what to do, are there any
"Best Practice" guidlines I should pay attention too?

Thanks for all your responses btw, it's been a big help!