I have read some question, that ask advice how to rsync
sparse files efficiently mentioning the files /var/log/lastlog
and /var/log/faillog
. Indeed I myself have stumpled over those files being an "issue" as their being backup via rsync turns them to become "unsparse".
What I hence wonder is, what is the need/backgrounding motivation to have those files as sparse, huge files (in my case it was 1.1TB)?
Also in relationship to this a follow up: Since I was assuming them to be logfiles I do not care about excesively I truncated those files, did I corrupt anything with truncating those files ?
Best Answer
This is how it's supposed to be.
/var/log/lastlog
is not a log file like/var/log/syslog
, and its name should be read as "last logins list" rather than "last logfile".It's maintained by the
pam_lastlog(8)
module, and it's basically an array like this:Sizes of the fields on a typical x86-64 machine are in comments; an entry should be 4 + 32 + 256 = 292 bytes.
Every time a program using the
pam_lastlog(8)
pam module is logging a user in, it will seek touid * sizeof(struct lastlog)
and overwrite the entry corresponding to that user.You did corrupt the output of the
lastlog(1)
command, which nobody is using anyway ;-)