[opensuse] /var/log/wtmp ("last" info not complete)
I am trying to pull information from one of my servers, for a specific login. When I run the "last" command for that login, it only gives me info for the last 4 days, but I know this login has been active for longer than that.
From what I read in the /etc/logrotate.conf file below (from my server), wtmp must be configured separately, and is not included with the other logs. Is this correct ?
Question 2: Does my system read /etc/logrotate.d/wtmp, which means even if it is not set in logrotate.conf, it is still set in logrotate.d ?
From what I can gather from the 2 files below, /var/log/wtmp will have a max age of 365 days (is kept for a year), and will be rotated for 99 weeks. Why am I not picking up all the info for this login ?
The size of the wtmp file: ls -la /var/log/wtmp -rw-rw-r-- 1 root tty 892800 Apr 21 17:23 /var/log/wtmp /etc/logrotate.conf shows: -------------------------- # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed #compress # uncomment these to switch compression to bzip2 #compresscmd /usr/bin/bzip2 #uncompresscmd /usr/bin/bunzip2 # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp -- we'll rotate them here #/var/log/wtmp { # monthly # create 0664 root utmp # rotate 1 #} # system-specific logs may be also be configured here. And /etc/logrotate.d/wtmp shows: -------------------------------- /var/log/wtmp { compress dateext maxage 365 rotate 99 size=+-400k notifempty missingok copytruncate } Dirk *** Disclaimer *** The information contained in this e-mail is confidential and legally privileged and is intended solely for the addressee and to others who have the authority to receive it. Access to this e-mail by anyone else is unauthorized and as such, any disclosure, copying, distribution or any action taken or omitted in reliance on it is unlawful. If you have received this e-mail in error, please notify the sender immediately. The views expressed in this e-mail are the views of the individual sender and should in no way be construed as the views of the Company. The Company is not liable to ensure that outgoing e-mails are virus-free. The Company is not liable, should information or data, for whatever reason, be corrupted or fail to reach its intended addressee. The Company is not liable for any loss or damage of whatsoever nature and howsoever arising resulting from the opening or the use of the information in this e-mail, including its attachments and links. The sender of this e-mail is subject to and bound by the terms and conditions of Company+IBk-s Electronic Communications Usage Policy. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dirk Moolman wrote:
From what I read in the /etc/logrotate.conf file below (from my server), wtmp must be configured separately, and is not included with the other logs. Is this correct ?
There is a separate config for wtmp in logrotate.d
Question 2: Does my system read /etc/logrotate.d/wtmp, which means even if it is not set in logrotate.conf, it is still set in logrotate.d ?
Almost certainly, yes. /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
From: Per Jessen [mailto:per@computer.org] Sent: 21 April 2008 06:50 PM
Dirk Moolman wrote:
From what I read in the /etc/logrotate.conf file below (from my server), wtmp must be configured separately, and is not included with the other logs. Is this correct ?
There is a separate config for wtmp in logrotate.d
Question 2: Does my system read /etc/logrotate.d/wtmp, which means even if it is not set in logrotate.conf, it is still set in logrotate.d ?
Almost certainly, yes.
Thank you. The following is my wtmp config file in the logrotate.d directory. I am still trying to understand it's syntax fully. I think I understand the "maxage" and the "rotate" settings, but what does the "size=+-400k" mean ? The +- in the syntax confuses me. It looks to me like it can be 400k plus (bigger than 400k), but then this means it can be any size, so why use 400 and not just +-0k ? Also, how often will it rotate in this case - there is no setting like "weekly" in the file. Or is this where the "maxage" setting comes into play ? /etc/logrotate.d/wtmp shows: ---------------------------- /var/log/wtmp { compress dateext maxage 365 rotate 99 size=+-400k notifempty missingok copytruncate } *** Disclaimer *** The information contained in this e-mail is confidential and legally privileged and is intended solely for the addressee and to others who have the authority to receive it. Access to this e-mail by anyone else is unauthorized and as such, any disclosure, copying, distribution or any action taken or omitted in reliance on it is unlawful. If you have received this e-mail in error, please notify the sender immediately. The views expressed in this e-mail are the views of the individual sender and should in no way be construed as the views of the Company. The Company is not liable to ensure that outgoing e-mails are virus-free. The Company is not liable, should information or data, for whatever reason, be corrupted or fail to reach its intended addressee. The Company is not liable for any loss or damage of whatsoever nature and howsoever arising resulting from the opening or the use of the information in this e-mail, including its attachments and links. The sender of this e-mail is subject to and bound by the terms and conditions of Company+IBk-s Electronic Communications Usage Policy. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dirk Moolman wrote:
Thank you. The following is my wtmp config file in the logrotate.d directory. I am still trying to understand it's syntax fully. I think I understand the "maxage" and the "rotate" settings, but what does the "size=+-400k" mean
Hi Dirk Are you sure it says '=+-400k' and not just '=+400k' - the first is not a valid syntax.
Also, how often will it rotate in this case - there is no setting like "weekly" in the file. Or is this where the "maxage" setting comes into play ?
It will rotate whenever the file is bigger then 400K. The logrotate process is usually done once per day - check your /etc/cron.daily directory. /Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----Original Message----- From: Per Jessen [mailto:per@computer.org] Sent: 22 April 2008 05:04 PM Dirk Moolman wrote:
Thank you. The following is my wtmp config file in the logrotate.d directory. I am still trying to understand it's syntax fully. I think I understand the "maxage" and the "rotate" settings, but what does the "size=+--400k" mean
Hi Dirk
Are you sure it says '=+--400k' and not just '=+-400k' - the first is not a valid syntax.
Also, how often will it rotate in this case - there is no setting
Sorry, you are right - copy & paste error .... Microsoft ? :-o like
"weekly" in the file. Or is this where the "maxage" setting comes into play ?
It will rotate whenever the file is bigger then 400K. The logrotate process is usually done once per day - check your /etc/cron.daily directory.
Where will I find the old files ? *** Disclaimer *** The information contained in this e-mail is confidential and legally privileged and is intended solely for the addressee and to others who have the authority to receive it. Access to this e-mail by anyone else is unauthorized and as such, any disclosure, copying, distribution or any action taken or omitted in reliance on it is unlawful. If you have received this e-mail in error, please notify the sender immediately. The views expressed in this e-mail are the views of the individual sender and should in no way be construed as the views of the Company. The Company is not liable to ensure that outgoing e-mails are virus-free. The Company is not liable, should information or data, for whatever reason, be corrupted or fail to reach its intended addressee. The Company is not liable for any loss or damage of whatsoever nature and howsoever arising resulting from the opening or the use of the information in this e-mail, including its attachments and links. The sender of this e-mail is subject to and bound by the terms and conditions of Company+IBk-s Electronic Communications Usage Policy. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Dirk Moolman
-----Original Message----- From: Per Jessen [mailto:per@computer.org] Sent: 22 April 2008 05:04 PM
Dirk Moolman wrote:
Thank you. The following is my wtmp config file in the logrotate.d directory. I am still trying to understand it's syntax fully. I think I understand the "maxage" and the "rotate" settings, but what does the "size=+-400k" mean
Hi Dirk
Are you sure it says '=+-400k' and not just '=+400k' - the first is not a valid syntax.
Sorry, you are right - copy & paste error .... Microsoft ? :-o
Also, how often will it rotate in this case - there is no setting like "weekly" in the file. Or is this where the "maxage" setting comes into play ?
It will rotate whenever the file is bigger then 400K. The logrotate process is usually done once per day - check your /etc/cron.daily directory.
Where will I find the old files ?
*** Disclaimer ***
The information contained in this e-mail is confidential and legally privileged and is intended solely for the addressee and to others who have the authority to receive it. Access to this e-mail by anyone else is unauthorized and as such, any disclosure, copying, distribution or any action taken or omitted in reliance on it is unlawful. If you have received this e-mail in error, please notify the sender immediately.
The views expressed in this e-mail are the views of the individual sender and should in no way be construed as the views of the Company.
The Company is not liable to ensure that outgoing e-mails are virus-free.
The Company is not liable, should information or data, for whatever reason, be corrupted or fail to reach its intended addressee.
The Company is not liable for any loss or damage of whatsoever nature and howsoever arising resulting from the opening or the use of the information in this e-mail, including its attachments and links.
The sender of this e-mail is subject to and bound by the terms and conditions of Company’s Electronic Communications Usage Policy.
invalid disclaimer You should look under /var/log -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----Original Message----- From: Patrick Shanahan [mailto:paka@opensuse.org]
Dirk Moolman wrote:
Where will I find the old files ?
You should look under /var/log
Thank you Patrick, I found the files. Another question: is there a utility to run "last" so that it includes the rotated files (old logs) ? I see mine is rotated almost daily, and I need login information for about 6 months. -rw-rw-r-- 1 root tty 27370 Feb 27 04:15 /var/log/wtmp-20080227.gz -rw-rw-r-- 1 root tty 25236 Feb 28 04:15 /var/log/wtmp-20080228.gz -rw-rw-r-- 1 root tty 25289 Feb 29 04:15 /var/log/wtmp-20080229.gz -rw-rw-r-- 1 root tty 47386 Mar 4 04:15 /var/log/wtmp-20080304.gz -rw-rw-r-- 1 root tty 26712 Mar 5 04:15 /var/log/wtmp-20080305.gz -rw-rw-r-- 1 root tty 43537 Mar 7 04:15 /var/log/wtmp-20080307.gz -rw-rw-r-- 1 root tty 58637 Mar 11 04:15 /var/log/wtmp-20080311.gz -rw-rw-r-- 1 root tty 25102 Mar 12 04:15 /var/log/wtmp-20080312.gz -rw-rw-r-- 1 root tty 44416 Mar 14 04:15 /var/log/wtmp-20080314.gz -rw-rw-r-- 1 root tty 50854 Mar 18 04:15 /var/log/wtmp-20080318.gz -rw-rw-r-- 1 root tty 46126 Mar 20 04:15 /var/log/wtmp-20080320.gz -rw-rw-r-- 1 root tty 46117 Mar 26 04:15 /var/log/wtmp-20080326.gz -rw-rw-r-- 1 root tty 41515 Mar 28 04:15 /var/log/wtmp-20080328.gz -rw-rw-r-- 1 root tty 24268 Mar 29 04:15 /var/log/wtmp-20080329.gz -rw-rw-r-- 1 root tty 41695 Apr 2 04:15 /var/log/wtmp-20080402.gz -rw-rw-r-- 1 root tty 44173 Apr 4 04:15 /var/log/wtmp-20080404.gz -rw-rw-r-- 1 root tty 45198 Apr 8 04:15 /var/log/wtmp-20080408.gz -rw-rw-r-- 1 root tty 46395 Apr 10 04:15 /var/log/wtmp-20080410.gz -rw-rw-r-- 1 root tty 45049 Apr 12 04:15 /var/log/wtmp-20080412.gz -rw-rw-r-- 1 root tty 46188 Apr 16 04:15 /var/log/wtmp-20080416.gz -rw-rw-r-- 1 root tty 27670 Apr 17 04:15 /var/log/wtmp-20080417.gz -rw-rw-r-- 1 root tty 32583 Apr 18 04:15 /var/log/wtmp-20080418.gz -rw-rw-r-- 1 root tty 52222 Apr 22 04:15 /var/log/wtmp-20080422.gz -rw-rw-r-- 1 root tty 25232 Apr 23 04:15 /var/log/wtmp-20080423.gz *** Disclaimer *** The information contained in this e-mail is confidential and legally privileged and is intended solely for the addressee and to others who have the authority to receive it. Access to this e-mail by anyone else is unauthorized and as such, any disclosure, copying, distribution or any action taken or omitted in reliance on it is unlawful. If you have received this e-mail in error, please notify the sender immediately. The views expressed in this e-mail are the views of the individual sender and should in no way be construed as the views of the Company. The Company is not liable to ensure that outgoing e-mails are virus-free. The Company is not liable, should information or data, for whatever reason, be corrupted or fail to reach its intended addressee. The Company is not liable for any loss or damage of whatsoever nature and howsoever arising resulting from the opening or the use of the information in this e-mail, including its attachments and links. The sender of this e-mail is subject to and bound by the terms and conditions of Company+IBk-s Electronic Communications Usage Policy. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dirk Moolman wrote:
It will rotate whenever the file is bigger then 400K. The logrotate process is usually done once per day - check your /etc/cron.daily directory.
Where will I find the old files ?
They are typically left in the same directory as the logfile being rotated, although I think there is an option for having them moved elsewhere. If you're rotating /var/log/wtmp, I would expect to find a few /var/log/wtmp-2008mmdd.gz (depending on how often you rotate). /Per -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Excellent, thank you very much. I have found a lot of answers on this mailing list this week. Thank you to everyone, I do appreciate it. Dirk -----Original Message----- *** Disclaimer *** The information contained in this e-mail is confidential and legally privileged and is intended solely for the addressee and to others who have the authority to receive it. Access to this e-mail by anyone else is unauthorized and as such, any disclosure, copying, distribution or any action taken or omitted in reliance on it is unlawful. If you have received this e-mail in error, please notify the sender immediately. The views expressed in this e-mail are the views of the individual sender and should in no way be construed as the views of the Company. The Company is not liable to ensure that outgoing e-mails are virus-free. The Company is not liable, should information or data, for whatever reason, be corrupted or fail to reach its intended addressee. The Company is not liable for any loss or damage of whatsoever nature and howsoever arising resulting from the opening or the use of the information in this e-mail, including its attachments and links. The sender of this e-mail is subject to and bound by the terms and conditions of Company+IBk-s Electronic Communications Usage Policy. From: Per Jessen [mailto:per@computer.org]=20 Sent: 23 April 2008 07:56 AM To: Dirk Moolman Cc: opensuse@opensuse.org Subject: Re: [opensuse] /var/log/wtmp ("last" info not complete) Dirk Moolman wrote:
=20
It will rotate whenever the file is bigger then 400K. The logrotate process is usually done once per day - check your /etc/cron.daily directory.=20 =20 Where will I find the old files ? =20
They are typically left in the same directory as the logfile being rotated, although I think there is an option for having them moved elsewhere. If you're rotating /var/log/wtmp, I would expect to find a few /var/log/wtmp-2008mmdd.gz (depending on how often you rotate). /Per -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Dirk Moolman
-
Patrick Shanahan
-
Per Jessen