Lengthen SCO 5.0.6 or Linux wtmpx logs

© March 2005 CraigF

Author: CraigF
Date: Tue Mar 29 05:31:12 2005

Subject: Lengthen SCO 5.0.6 wtmpx logs

We required a timestamp on a login from a week ago, and due the amount of logins since then, we only have logs for a couple of days at most.


Craig Foster

See I need information from "last", but most of it is gone! also.

wtmpx empty (sco and linux)

1 comment

Tue Mar 29 09:55:45 2005: 242   TonyLawrence

Because it's cleaned out by a cron job (/etc/cleanup ) that by default runs on Sunday:

# grep wtmp /etc/cleanup
# If accounting isn't enabled, clean up wtmp and wtmpx,
: Do nothing - accounting will clean up wtmp and wtmpx
[ -f /etc/wtmp ] && >/etc/wtmp
[ -f /etc/wtmpx ] && >/etc/wtmpx

(Solaris clears ir with /usr/lib/acct/runacct, Linux systems use logrotate (so change it in /etc/logrotate.conf)

Having that run on Sunday is not ideal for forensics - "who logged in over the wweekend?" is not an unusual question.

A good modification might be to output "last" to a file before cleaing it.


