Just noticed some 640MB wtmp file in a virtual container (Ubuntu Hardy).
# last -n 10000 -f /var/log/wtmp.1|wc -l
384
# ls -hl /var/log/wtmp.1
-rw-rw-r-- 1 root utmp 641M 21. Sep 07:49 /var/log/wtmp.1
logrotate was not installed (I just did that and forced rotating).
Are there records in there not being displayed by last
(which should show the last 1000 entries, but apparently there are only 384).
From quickly skimming the wtmp/utmp
man page, it does not look like a single entry should use about 1,6MB.
Is there another program besides last
to inspect these files?
Best Answer
logrotate
was a good idea.Like any regular file, wtmp could have been "sparse" (cf. lseek(2) "holes" and
ls -s
) which can show a extreme file size that actually occupies little disk. How did the hole get there, if it was a hole?getty(8)
and friends could have had a bug. Or a system crash and fsck repair could have caused it.If you are looking to see the raw contents of wtmp,
od
orhd
are good for peeking at binaries and have the happy side effect of showing long runs of empty as such.Unless it recurs, I wouldn't give it much more thought. A marginally competent intruder would do a better job than that, the contents aren't all that interesting, and little depends on them.