 |
 |
wtmp (access) log file
|
|
|
|
|
Mac Enthusiast
Join Date: Dec 2000
Location: Germany
Status:
Offline
|
|
I don't seem to have one! Is that normal, how do I start it going? I'm sure it was there not too long ago, and I need to see who has logged into the machine.
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status:
Offline
|
|
Originally posted by macmad:
I don't seem to have one! Is that normal, how do I start it going? I'm sure it was there not too long ago, and I need to see who has logged into the machine.
Where did you look for wtmp? Mine is in /var/log/. Do:
ls /var/log/wtmp*
What do you get?
What do you get when you type a single w at the command prompt in a terminal? Also try the command 'last' ( without the quote marks).
|
|
-DU-...etc...
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Dec 2000
Location: Germany
Status:
Offline
|
|
utidjian, thanks, but I've found the problem. When the wtmp file is deleted for some reason, it is not automatically recreated. This is probably common knowledge for smarter men than me, but I was going mad trying to find out what happened!
OK, what to do?? Make a new one! You do that like this:
"sudo touch /var/log/wtmp" then "sudo chmod 644 /var/log/wtmp" so you can read it.
Logging has started again, and I'm happy!
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status:
Offline
|
|
Originally posted by macmad:
utidjian, thanks, but I've found the problem. When the wtmp file is deleted for some reason, it is not automatically recreated. This is probably common knowledge for smarter men than me, but I was going mad trying to find out what happened!
OK, what to do?? Make a new one! You do that like this:
"sudo touch /var/log/wtmp" then "sudo chmod 644 /var/log/wtmp" so you can read it.
Logging has started again, and I'm happy!
Ummm... I would find it VERY suspicious that my wtmp file "is deleted for some reason". There is NO way that that should happen. It is a critical log file for security.
If you look at the /etc/monthly script you will see that /var/log/wtmp is "rotated", compressed and renamed once a month. According to that script, after 5 months or so, you should have (under /var/log/)
wtmp
wtmp.0.gz
wtmp.1.gz
wtmp.2.gz
wtmp.3.gz
and
wtmp.4.gz
Will be perhaps less if you did a clean re-install. It may be that it was never created in the first place in which case it is a problem of the installer. Usually when a log file gets deleted it is something that the root user did inadvertently or a cracker did to cover its tracks. No file on a Unix system just up and dissappears for no reason... especially log files.
If I were you I would keep a close watch on my log files for a while. If it dissappears again you may have a MUCH bigger problem.
BTW /etc/monthly will chmod those files to 0640 automatically NOT 0644. They do not need to be and should not be 0644 in order for you to use "last".
|
|
-DU-...etc...
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Dec 2000
Location: Germany
Status:
Offline
|
|
I hear you! This was also my concern! However, I have been using LogMaster to read my log files, it has a big trash button to 'clear' the log, and I think this must have deleted /var/log/wtmp . When I tried to subsequently read the access log with LogMaster it always 'unexpectedly quit' - so, a program bug.
I had enabled SSH and so I wanted to check that no one had gotten in - as you say, if they had, they'd have probably deleted /var/log/wtmp too! I will keep an eye on this!
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
