joem@nos850.UUCP (Joe Muller) (03/12/91)
The title says it all. Anybody have any ideas as to why the file /etc/wtmp on our 9000/850 does not grow without bounds ? Typically it gets no larger then 200 bytes, but it still contains the most recent login information. As far as I know, there are no crons out there that are cutting it down to size. _____________________________________________________________________________ | Joseph Muller | "Science is easily explained by the | UUCP: ...!uunet!coplex!nos850!joem | laws of nature and physics. Magic; by | BITNET: JAMULL01@ULKYVX.BITNET | the infinite potential of the mind and | | the soul. Unix however, works in | Naval Ordinance Station, Lou. Ky. | strange and mysterious ways." -Me
milburn@me10.lbl.gov (John Milburn) (03/12/91)
In article <237@nos850.UUCP> joem@nos850.UUCP (Joe Muller) writes: > The title says it all. Anybody have any ideas as to why the file >/etc/wtmp on our 9000/850 does not grow without bounds ? Are you perhaps running accounting? runacct will clear the wtmp file when it runs. -jem -- John Milburn milburn@me10.lbl.gov (415) 486-6969 "Every now and then when your life gets complicated and the weasels start closing in, the only real cure is to load up on heinous chemicals and then drive like a bastard from Hollywood to Las Vegas." -Hunter S. Thompson
tml@tik.vtt.fi (Tor Lillqvist) (03/12/91)
In article <10823@dog.ee.lbl.gov> milburn@me10.lbl.gov (John Milburn) writes: In article <237@nos850.UUCP> joem@nos850.UUCP (Joe Muller) writes: > The title says it all. Anybody have any ideas as to why the file >/etc/wtmp on our 9000/850 does not grow without bounds ? Are you perhaps running accounting? runacct will clear the wtmp file when it runs. This (wtmp being emptied every night) was a pain to me, too, so I went in and edited /usr/lib/acct/runacct. The diff follows. I also cleaned up the obnoxious messages. BTW, why doesn't HP use the syslog facility for messages like these, even though they seem to have gone through the trouble of converting syslog to use FIFOs instead of UNIX domain sockets? (So that it will run even on systems without ARPA/Berkeley?) *** runacct.HP Mon Jan 21 23:51:45 1991 --- runacct Tue Jan 22 00:58:01 1991 *************** *** 1,4 **** ! # @(#) $Revision: 38.2 $ # "nitely accounting shell, should be run from cron (adm) at 4am" # "does process, connect, disk, and fee accounting" --- 1,4 ---- ! #!/bin/sh # @(#) $Revision: 38.2 $ # "nitely accounting shell, should be run from cron (adm) at 4am" # "does process, connect, disk, and fee accounting" *************** *** 13,20 **** _statefile=${_nite}/statefile _active=${_nite}/active _lastdate=${_nite}/lastdate ! _errormsg="\r\n\n************ ACCT ERRORS : see ${_active}${_date}********\r\n\n" _MIN_BLKS=500 cd ${_adm} # "make sure that 2 crons weren't started, or leftover problems" --- 13,21 ---- _statefile=${_nite}/statefile _active=${_nite}/active _lastdate=${_nite}/lastdate ! _errormsg="\r\n************ ACCT ERRORS : see ${_active}${_date}********\r\n" _MIN_BLKS=500 + _WTMP_MAX=1024000 cd ${_adm} # "make sure that 2 crons weren't started, or leftover problems" *************** *** 22,28 **** chmod 400 ${_nite}/lock1 ln ${_nite}/lock1 ${_nite}/lock if test $? -ne 0; then ! _lnkerr="\r\n\n*********** 2 CRONS or ACCT PROBLEMS***********\r\n\n\n" (date ; echo "$_lnkerr" ) >/dev/console echo "$_lnkerr" | mail adm root echo "ERROR: locks found, run aborted" >> ${_active} --- 23,29 ---- chmod 400 ${_nite}/lock1 ln ${_nite}/lock1 ${_nite}/lock if test $? -ne 0; then ! _lnkerr="\r\n*********** 2 CRONS or ACCT PROBLEMS***********\r\n" (date ; echo "$_lnkerr" ) >/dev/console echo "$_lnkerr" | mail adm root echo "ERROR: locks found, run aborted" >> ${_active} *************** *** 66,72 **** echo ${_date} > ${_lastdate} echo "SETUP" > ${_statefile} nulladm ${_active} - echo "\r\n\n\n\n\n********** SYSTEM ACCOUNTING STARTED `date` **********\r\n\n\n\n\n" > /dev/console ;; 1) --- 67,72 ---- *************** *** 73,79 **** # "runacct MMDD (date) will restart at current state" _date=$1 echo "restarting acctg for ${_date} at `cat ${_statefile}`" >> ${_active} ! echo "\r\n\n\n\n\n********** SYSTEM ACCOUNTING RESTARTED `date` **********\r\n\n\n\n\n" > /dev/console ;; 2) --- 73,79 ---- # "runacct MMDD (date) will restart at current state" _date=$1 echo "restarting acctg for ${_date} at `cat ${_statefile}`" >> ${_active} ! echo "\r\n********** SYSTEM ACCOUNTING RESTARTED `date` **********\r\n" > /dev/console ;; 2) *************** *** 82,88 **** echo "restarting acctg for ${_date} at $2" >> ${_active} echo "previous state was `cat ${_statefile}`" >> ${_active} echo "$2" > ${_statefile} ! echo "\r\n\n\n\n\n********** SYSTEM ACCOUNTING RESTARTED `date` **********\r\n\n\n\n\n" > /dev/console ;; *) (date; echo "${_errormsg}") > /dev/console --- 82,88 ---- echo "restarting acctg for ${_date} at $2" >> ${_active} echo "previous state was `cat ${_statefile}`" >> ${_active} echo "$2" > ${_statefile} ! echo "\r\n********** SYSTEM ACCOUNTING RESTARTED `date` **********\r\n" > /dev/console ;; *) (date; echo "${_errormsg}") > /dev/console *************** *** 143,152 **** mv ${_active} ${_active}${_date} exit 1 fi ! cp ${_wtmp} ${_nite}/wtmp.${_date} acctwtmp "runacct" >> ${_nite}/wtmp.${_date} ! nulladm ${_wtmp} ! echo "files setups complete" >> ${_active} echo "WTMPFIX" > ${_statefile} --- 143,166 ---- mv ${_active} ${_active}${_date} exit 1 fi ! if [ -f ${_nite}/wtmp.size ]; then ! _wtmp_size=`cat ${_nite}/wtmp.size` ! else ! _wtmp_size=0 ! fi ! _wtmp_now=`ls -l ${_wtmp} | awk '{ print $5 }'` ! if [ ${_wtmp_now} -lt ${_wtmp_size} ]; then ! _wtmp_size=0 ! fi ! _wtmp_size=`expr ${_wtmp_size} + 1` ! tail +${_wtmp_size}c ${_wtmp} > ${_nite}/wtmp.${_date} acctwtmp "runacct" >> ${_nite}/wtmp.${_date} ! if [ ${_wtmp_size} -gt ${_WTMP_MAX} ]; then ! /usr/local/etc/trimwtmp >tmpwtmp ! /bin/cat <tmpwtmp >${_wtmp} ! _wtmp_now=`ls -l ${_wtmp} | awk '{ print $5 }'` ! fi ! echo ${_wtmp_now} > ${_nite}/wtmp.size echo "files setups complete" >> ${_active} echo "WTMPFIX" > ${_statefile} *************** *** 333,339 **** rm -f nite/wtmp.${_date} nite/wtmperror${_date} nite/active${_date} mv nite/tmpwtmp nite/owtmp echo "system accounting completed at `date`" >> ${_active} - echo "********** SYSTEM ACCOUNTING COMPLETED `date` **********" > /dev/console echo "COMPLETE" > ${_statefile} exit 0 ;; --- 347,352 ---- And here is the /usr/local/etc/trimwtmp script used when the wtmp file grows ``too large''. #!/usr/local/bin/perl #; Trim /etc/wtmp, outputting for each user the last #; session (a USER_PROCESS usually followed later by #; either a DEAD_PROCESS or a INIT_PROCESS). require "utmp.ph"; open(OLD, "/usr/lib/acct/fwtmp </etc/wtmp |"); open(NEW, "| sort +7 -8 | /usr/lib/acct/fwtmp -ic"); while (<OLD>) { $user = substr($_,0,8); $line = substr($_,14,12); $type = substr($_,34,1); if ($type == &USER_PROCESS && $user gt " ") { $login{$user} = $_; $llogin{$line} = $_; undef $logout{$user}; } elsif ($type == &DEAD_PROCESS) { if (substr($login{$user},14,12) eq $line) { $logout{$user} = $_; } } elsif ($type == &INIT_PROCESS) { $logout{substr($llogin{$line},0,8)} = $_; } } while (($user,$entry) = each(%login)) { print(NEW $entry); if ($logout{$user}) { print(NEW $logout{$user}); } } -- Tor Lillqvist, working, but not speaking, for the Technical Research Centre of Finland
rodean@hpfcdc.HP.COM (Bruce Rodean) (03/13/91)
In article <237@nos850.UUCP> joem@nos850.UUCP (Joe Muller) writes: > The title says it all. Anybody have any ideas as to why the file > /etc/wtmp on our 9000/850 does not grow without bounds ? Typically > it gets no larger then 200 bytes, but it still contains the most > recent login information. As far as I know, there are no crons > out there that are cutting it down to size. Are you sure you mean /etc/wtmp. The file /etc/utmp is a relatively steady-state file in terms of size. It contains information related to who is logged in (as reported by who for example) and when the system booted up. The file /etc/wtmp contains time-stamped data and should be growing as long as users are logging in and out. Other information kept there is when the system date was changed via the date command, when the system booted up, and when other system events occurred. If no one is logging in and out, you aren't rebooting the system, or changing the date, then /etc/wtmp will not grow either (or it will very slowly). One common function that truncates /etc/wtmp is system accounting. The nightly accounting script /usr/lib/acct/runacct will consume /etc/wtmp to get session accounting records. Is that being run from cron? Execute 'fwtmp < /etc/utmp | more' and 'fwtmp < /etc/wtmp | more'. You'll see what is stored there. Bruce Rodean rodean@hpfclg.fc.hp.com