Re: wtmp filling up

From: Lamar Saxon (Lamar.Saxon_at_AMERICREDIT.COM)
Date: 05/23/05

Next message: Justin Bleistein: "Re: Max Users In aix Group"

Previous message: Sajjad S Hashimi: "Sajjad S Hashimi is out of the office until 5/24/05"
Maybe in reply to: Tom Wood: "wtmp filling up"
Next in thread: Tom Wood: "Re: wtmp filling up"
Reply: Tom Wood: "Re: wtmp filling up"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date:         Mon, 23 May 2005 13:46:21 -0500
To: aix-l@Princeton.EDU

If you look @:

/usr/include/utmp.h

it will give you a structure of the wtmp file.

Do you have syslog turned on minimally monitoring auth ? Did a password change, is the account now locked out due to unsuccessful login attempts,...

Do a usrck -n oracle and see if these problems exist.

Lamar

-----Original Message-----
From: IBM AIX Discussion List [mailto:aix-l@Princeton.EDU] On Behalf Of Tom Wood
Sent: Monday, May 23, 2005 1:03 PM
To: aix-l@Princeton.EDU
Subject: Re: wtmp filling up

Lamar,

I have about 35k entries like this:
oracle 6 38450 0000 0000 1116870802 netmeeting.ag
g-i Mon May 23 13:53:22 EDT 2005
oracle 6 20236 0000 0000 1116870803 netmeeting.ag
g-i Mon May 23 13:53:23 EDT 2005
oracle 6 38452 0000 0000 1116870803 netmeeting.ag
g-i Mon May 23 13:53:23 EDT 2005
oracle 6 36158 0000 0000 1116870803 netmeeting.ag
g-i Mon May 23 13:53:23 EDT 2005
oracle 6 36160 0000 0000 1116870803 netmeeting.ag
g-i Mon May 23 13:53:23 EDT 2005
oracle 6 54388 0000 0000 1116870803 netmeeting.ag
g-i Mon May 23 13:53:23 EDT 2005
oracle 6 36164 0000 0000 1116870803 netmeeting.ag
g-i Mon May 23 13:53:23 EDT 2005
oracle 6 54392 0000 0000 1116870803 netmeeting.ag
g-i Mon May 23 13:53:23 EDT 2005
oracle 6 54394 0000 0000 1116870804 netmeeting.ag
g-i Mon May 23 13:53:24 EDT 2005
oracle 6 54396 0000 0000 1116870804 netmeeting.ag
g-i Mon May 23 13:53:24 EDT 2005

I'm having someone try to determine what is going on with the w2k host 'netmeeting.agg-inc'. It has been used for quite a while as the host for Quest Software's Spotlight on Oracle application, so it has a legitimate need to connect to this machine, but I'm not sure why all of a sudden it is attempting to connect some often.

Thanks for the command.

Tom

-----Original Message-----
From: Lamar.Saxon@americredit.com [mailto:Lamar.Saxon@americredit.com]
Sent: Monday, May 23, 2005 1:45 PM
To: twood@rezlink.com; aix-l@Princeton.EDU
Subject: RE: wtmp filling up

To format wtmp for readability you need to use the fwtmp command, not the tail command like:

/usr/lib/acct/fwtmp < /var/adm/wtmp

Send the output of that for further analysis...

Lamar

From: IBM AIX Discussion List [mailto:aix-l@Princeton.EDU] On Behalf Of Tom Wood
Sent: Monday, May 23, 2005 11:45 AM
To: aix-l@Princeton.EDU
Subject: wtmp filling up
My /var/adm/wtmp file is increasing in size very fast - 246 in about 15 minutes (from a > /var/adm/wtmp command).

File wtmp shows the file is a text file, but is it a special format? When I attempt to tail -f it, this is what I get:

aixdb:/var/adm# tail -f wtmp
BÒønetmeeting.agg-ioraclej
                          BÒønetmeeting.agg-ioraclejBÒønetmeeting.agg-ioracle.øj
                                                                              B.
BÒnetmeeting.agg-ioracle.
                         BÒnetmeeting.agg-ioracleFBÒnetmeeting.agg-ioracleFBÒneê

I recognize the 'netmeeting.agg-I' as part of a w2k machine name, and oracle may be the user attempting to connect, but what/where is the other 'stuff' coming from?

Thanks.

Tom

********************************************************************************************
IMPORTANT: The information contained in this message is privileged and confidential. It
is intended only for the use of the individual or entity named above. If the
reader of this message is not the intended recipient, any dissemination or
reproduction of it is strictly prohibited. If you have received this communication
in error, please contact us at postmaster@Rezlink.com immediately.
Thank you.
********************************************************************************************

Privileged and Confidential. This e-mail, and any attachments there to, is intended only for use by the addressee(s) named herein and may contain privileged or confidential information. If you have received this e-mail in error, please notify me immediately by a return e-mail and delete this e-mail. You are hereby notified that any dissemination, distribution or copying of this e-mail and/or any attachments thereto, is strictly prohibited.

Next message: Justin Bleistein: "Re: Max Users In aix Group"

Previous message: Sajjad S Hashimi: "Sajjad S Hashimi is out of the office until 5/24/05"
Maybe in reply to: Tom Wood: "wtmp filling up"
Next in thread: Tom Wood: "Re: wtmp filling up"
Reply: Tom Wood: "Re: wtmp filling up"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: wtmp filling up
... Thanks for the command. ... Subject: wtmp filling up ... To format wtmp for readability you need to use the fwtmp command, ... reader of this message is not the intended recipient, ...
(AIX-L)
Re: disable telnet log for wtmp
... sleep") in his programming language of choice. ... make a script that copies the current wtmp to ... a separate file, then truncates the wtmp file *immediately* after ... command so that you get all the possible information out of the wtmp ...
(comp.sys.hp.hpux)
Re: No space left on device
... Answers are inline below. ... >> There is a hundred meg if you don't read the documentation. ... > command similar to: ... > when I try to use vi to view the wtmp file it just shows garbage. ...
(alt.os.linux)
Re: No space left on device
... Answers are inline below. ... >> There is a hundred meg if you don't read the documentation. ... > command similar to: ... > when I try to use vi to view the wtmp file it just shows garbage. ...
(alt.os.linux.redhat)
Re: [SLE] Where are logins recorded?
... > last would be the command. ... > wtmp and btmp are binary files that cannot be edited. ...
(SuSE)