Re: help /var is filling up!!!

To: Johann Spies <jhspies@futurenet.co.za>
Cc: bboett@erm1.u-strasbg.fr, debian-user@lists.debian.org
Subject: Re: help /var is filling up!!!
From: Carl Johnson <carlj@peak.org>
Date: 24 May 1999 11:12:21 -0700
Message-id: <[🔎] 87r9o68hh6.fsf@cjlinux.localnet>
In-reply-to: Johann Spies's message of "Mon, 24 May 1999 09:25:17 +0200 (SAST)"
References: <[🔎] Pine.LNX.3.96.990524091834.330G-100000@Johann>

Johann Spies at Johann <jhspies@futurenet.co.za> writes:

I am not an expert on this, so I had to search a little to find this, so
if anybody finds any problems with this, please correct me.

The lastlog file appears to be an array of structures of binary data,
with an entry for each UID (except 'nobody' on mine).  The size of
yours would indicate that your last UID is 63434 if your is a x86
based system.  You could do a 'ls -s' /var/log/lastlog to get the real
size in blocks to see if the file has holes in it.  The structure
information is in /usr/include/utmpbits.h, which is included from
/usr/include/lastlog.h.  The lastlog file simply holds the last time
each user logged in, so is appears to never be rotated.

The wtmp file should be an array of structures of all logins and
reboots.  The size of yours might be correct if your system has a lot
of users, although I just discovered that my wtmp.0 file is corrupt.
The 'last' command will show a decoded version of the file, and the
option '-f <file>' will also allow you to specify another file.  This
file appears to be rotated from the /etc/cron.monthly/standard script.
The dates of your files indicate it has not been rotating properly in
the past, so your wtmp.0 file probably has 7 months of logs.  The
utmp(5) manpage has further details on the file, if you need it.

> I have two large files in my /var/log:
> 
> -rw-r--r--   1 root     root     18523020 May 24 07:14 lastlog <---------
> 
> -rw-r--r--   1 root     adm        871296 May 24 07:14 wtmp
> -rw-r--r--   1 root     adm       7499904 May  5 14:07 wtmp.0  <---------
> -rw-r--r--   1 root     adm         49369 Oct  1  1998 wtmp.1.gz
> -rw-r--r--   1 root     adm         26365 Aug  1  1998 wtmp.2.gz
> -rw-r--r--   1 root     adm         56427 Jun  9  1998 wtmp.3.gz
> -rw-r--r--   1 root     adm         18072 Mar  1  1998 wtmp.4.gz
> -rw-r--r--   1 root     adm           652 Feb  1  1998 wtmp.5.gz
> -rw-r--r--   1 root     root       130944 Aug 21  1998 wtmp.libc5
> 
> It seems as if wtmp.0 is on its way to become wtmp.1.gz some time but what
> about lastlog?  Is this normal?
> 
> I have tried to look at the contents of lastlog and it contains thousands
> of ^@'s.
> 
> On 21 May 1999, Carl Johnson wrote:
> > My /var/log directory is only a little over 2MB, but mine is mostly just a
> > workstation for me.  Just for reference, I only have 5 files over 100KB, and
> > the largest is only 300KB.
> 

-- 
Carl Johnson		carlj@peak.org

Reply to:

References:
- Re: help /var is filling up!!!
  - From: Johann Spies at Johann <jhspies@futurenet.co.za>

Prev by Date: running programs from other computers on local net (window manager)
Next by Date: X server and pseudo-color
Previous by thread: Re: help /var is filling up!!!
Next by thread: Re: help /var is filling up!!!
Index(es):
- Date
- Thread