I recently had to do an audit and see who was logged in when some performance issues were being reported on one of our Solaris boxes. The problem? The performance issues had been talked about in an email thread for a long time before it fell onto my plate. The only way to find out who was logged in during that time frame was to pull data out of old backups of the wtmpx file.
On Solaris, wtmpx contains data such as what IP address a user connects from, when they logged in, and how long they stayed on. It's a binary, non-human-readable format. I did some research to figure out how to get usable data from it. The fwtmp command converts the wtmpx records to ascii, making it easy to parse them, for instance, with Awk. Unfortunately, this utility isn't in the path, and I don't know why. No matter, though. I'll tell you where it's at. It's a stream converter, so it takes the raw wtmpx file as input, and bars out plain text. This is how I usually run it:
$ /usr/lib/acct/fwtmp < /var/adm/wtmpx > wtmpx-`date +%Y-%m-%d`.txt
This creates an ascii wtmpx file with the current date as part of its filename.
See the man page for fwtmp for more information. It can also be used for importing records into wtmp. With some scripting, a nice log-rotation mechanism can be implemented.
This was a fantastic tip! I wound up using it this morning to confirm a few logins.
ReplyDeleteThanks for putting it out there.
-Systemstate
I'm glad it helped! Thanks for dropping us a line!
ReplyDeleteI also found that fwtmp on AIX works in almost the same way but its path is /usr/sbin/acct/fwtmp (and you absolutely must be root to run it, even if the permissions of the wtmp file allow you to read it)
I have to do this on occasion for audit purposes. It also helps when the wtmp gets corrupted due to a kernel panic or power failure. You can export the wtmp to ascii, delete corrupted lines (they show up as noise with invalid characters), then over-write the bad wtmp with the binary output of wtmpx importing from the cleaned-up text file.
s/'wtmpx'/'fwtmp'/ # I meant fwtmp... it's too fscking early. I need moar coffee.
ReplyDelete