# Enormous wtmp file

## Letharion

One of my dns servers have only a 5GiB harddrive. I noticed today that it was nearly filling up, and /var/log/wtmp takes up almost half of this space.

```
ls -lh wtmp 

-rw-rw-r-- 1 root utmp 2.3G Oct  4 21:09 wtmp
```

What in the world? Can I safely delete it? Googling told me that it contains log in records? If I have had logins amounting to 2G of text logs, on a server that is only a dns, then something is seriously wrong.

I don't see any other suspicious activity though, yet.

----------

## mikegpitt

I believe it is safe to delete this file, but you could temporarily move it to a new location just to make sure it doesn't mess up user login information.  You can access wtmp information through the `last` command, so you can see why the file is so big.

----------

## Letharion

 *mikegpitt wrote:*   

> I believe it is safe to delete this file, but you could temporarily move it to a new location just to make sure it doesn't mess up user login information.  You can access wtmp information through the `last` command, so you can see why the file is so big.

 

Thank you  :Smile: 

I tried last, and it lists only a single entry, which is the current one I'm logged in with. I'll try moving the file and open a new login, and we'll see what happens.

Edit: I tried last again, now I get 4 entries, which all makes sense to me. Then last dies with an out of memory error, I'm guessing because it tries to read the entire file to memory.

After renaming the file, I can still log in, and I tried chkrootkit. Unless something else starts acting wierd, I guess I'll just leave it at that for now.

Any other input would be appreciated though  :Smile: 

----------

## morpheus2051

You can read what the file does here: http://en.wikipedia.org/wiki/Wtmp.

To keep your log files small you can use app-admin/logrotate. I do not know if the configuration file of logrotate comes with the right entry for the wtmp file so here is the entry anyways:

```
/var/log/wtmp {

    monthly

    create 0664 root utmp

    rotate 1

}
```

This is if you use app-admin/syslog-ng. 

If you are using app-admin/metalog and I am right you do not need logrotate. Metalog has the feature to rotate logs build in.

Hope this helps.

Greetings

morpheus

----------

## Ant P.

You might want to run `strings wtmp` on it to see if there's anything unusual in there...

----------

## toralf

 *morpheus2051 wrote:*   

> I do not know if the configuration file of logrotate comes with the right entry for the wtmp

 This is already in logrotate.conf, more configs are deliverd by individual packages into /etc/logrotate.d.

----------

## mikegpitt

 *Ant_P wrote:*   

> You might want to run `strings wtmp` on it to see if there's anything unusual in there...

 I second this... it is very strange to have a wtmp file so big, especially on a server with few logins.

As a sort of apples to oranges comparison, I have a development server that has been up and running since 2006, and receives a relatively low amount of logins.  I just checked the wtmp file and it is only 2.6M.

----------

## Letharion

```
$ strings wtmp | wc -l

11563664

$ strings wtmp | head -n15

2.6.18-92.1.13.el5.028stab059.3

reboot

2.6.18-92.1.13.el5.028stab059.3

2.6.18-92.1.13.el5.028stab059.3

runlevel

2.6.18-92.1.13.el5.028stab059.3

2.6.18-92.1.13.el5.028stab059.3

2.6.18-92.1.13.el5.028stab059.3

2.6.18-92.1.13.el5.028stab059.3

tty1

LOGIN

tty2

LOGIN

2.6.18-92.1.13.el5.028stab059.3

.I%=

$ strings wtmp | tail -n10

tty2

2.6.18-194.8.1.el5.028stab070.5

tty3

2.6.18-194.8.1.el5.028stab070.5

tty4

2.6.18-194.8.1.el5.028stab070.5

tty6

2.6.18-194.8.1.el5.028stab070.5

tty5

2.6.18-194.8.1.el5.028stab070.5
```

Mostly, the files seem to contain gibberish. Except what appears to be my kernel number (it's a VPS, so the kernel is redhat instead of gentoo-sources). I checked the other server I have with the same provider, and it also has a really big wtmp. Maybe I should ask the provider if they have any idea what this is.

Logrotate was installed on the "other" server and there wtmp has been rotated, so logrotate handles that well  :Smile: 

Upon touching a new wtmp, it immediately started growing, quite fast.

----------

## toralf

 *Ant_P wrote:*   

> You might want to run `strings wtmp` on it to see if there's anything unusual in there...

 wtmp is a binary file - last is (one of) the command which shows the decoded content.

----------

## Letharion

I figured as much, but that doesn't explain why it's so big, and last still showing very few logins.

```
# last | wc -l

4

# wc -l wtmp

5031 wtmp

# ls -lh wtmp

-rw-rw-r-- 1 root utmp 19M Oct  8 19:41 wtmp
```

There's clearly a big discrepancy between 19M and 4 lines of login data.

----------

## toralf

 *Letharion wrote:*   

> I figured as much, but that doesn't explain why it's so big, and last still showing very few logins.
> 
> ```
> # last | wc -l
> 
> ...

 again : "wc -l wtmp " doesn't makes sense for a binary file.

----------

## philip

Is it safe to delete the /var/log/wtmp file (will it be re-created automatically)?

----------

## toralf

 *philip wrote:*   

> (will it be re-created automatically)?

 yes

UpdateProbably not after reading the man page[/Update]Last edited by toralf on Sun Oct 10, 2010 8:27 pm; edited 1 time in total

----------

## Ant P.

 *toralf wrote:*   

> wtmp is a binary file - last is (one of) the command which shows the decoded content.

 

Yes, and `last` also freezes with an out-of-memory error, which is totally unhelpful in figuring out why this file is filling up so fast.

----------

## Letharion

 *philip wrote:*   

> Is it safe to delete the /var/log/wtmp file (will it be re-created automatically)?

 

Moving it had no negative effects for me, but it was not re-created automatically.

I had to touch, chgrp, chmod g+w, to "get it back".

----------

