/var/log/wtmp rotating?

Tiny Core Base > TCB Q&A Forum

<< < (3/4) > >>

Stefann:

--- Quote from: curaga on October 14, 2024, 02:29:27 AM ---The right place for this functionality would probably be busybox. We don't have default crontabs, cron isn't even running by default. If you know C, you could submit a patch to busybox.

--- End quote ---
I would be willing to send such a thing.
C is my favorite language.
But I currently do not work with GitHub (getting familiar with that is on the bucket list when job obligations get lower). So… I really not feel in the position to do.

As rich mentioned, “it’s not super urgent”.
Wtmp grows by about 1MB per year.
Frugal installs that do not have /var/log listed in .filetool.lst will likely get at least a reboot per year and than that 1MB will not really kill you also on low ram systems.

Still… it’s a memory leak on an out of the box system which is “not nice”.

One possibility is to erase wtmp with every system reboot. That way also systems that have /var/log in .filetool.lst will at least get a flush with a reboot.
Alternatively one could of course also take the position that “a user that deliberately puts /var/log in .filetool.lst should be smart enough to prevent overflow”. Which makes some sense.

At the end this is why I very much like tinycore.
As stated somewhere in the information “you get a fresh install at every reboot”. That is very very true!

Anything I “polute by accident” is cleaned with a reboot.
The only thing I have to worry about are the things I on purpose did put in .filetool.lst.
So yeah…. That’s how I got attracted to this situation in the first place.

Rich:
Hi Stefann

--- Quote from: Stefann on October 14, 2024, 01:13:29 AM --- ... I feel the wtmp rotation can be converted similarly in a 1 line command. I will be able to figure that out. Just following the logic of the other command. ...
--- End quote ---
Maybe something like this:

--- Code: ---Entries=100 ; tail -c $(($Entries*384)) /var/log/wtmp > NewWtmp && sudo mv NewWtmp /var/log/wtmp
--- End code ---
Just change the value of Entries to how much history you wish to retain.

Just for the record, the number of entries that the "last" command reports
may not match FileSize/384. It seems when you close a terminal, that action
gets logged, but "last" does not report it.

Here I trim wtmp to 10 entries:

--- Code: ---Entries=10 ; tail -c $(($Entries*384)) /var/log/wtmp > NewWtmp && sudo mv NewWtmp /var/log/wtmp
--- End code ---

This is what last reports:

--- Code: ---tc@E310:~$ last -F -f /var/log/wtmp
tc pts/8 :0.0 Mon Oct 14 10:45:55 2024 - Mon Oct 14 10:45:57 2024 (00:00)
tc pts/7 :0.0 Mon Oct 14 09:22:07 2024 still logged in
tc pts/7 :0.0 Mon Oct 14 08:37:22 2024 - Mon Oct 14 09:22:07 2024 (00:44)
tc pts/7 :0.0 Sun Oct 13 08:26:48 2024 - Sun Oct 13 12:26:17 2024 (03:59)
tc pts/5 :0.0 Sun Oct 13 08:17:32 2024 still logged in
tc pts/5 :0.0 Sat Oct 12 09:32:51 2024 - Sat Oct 12 09:46:46 2024 (00:13)
tc pts/5 :0.0 Wed Oct 9 21:51:27 2024 - Sat Oct 12 09:32:51 2024 (2+11:41)

wtmp begins Wed Oct 9 21:51:27 2024
tc@E310:~$
--- End code ---
It shows 7 entries.

Using the perl script found at the link in reply #5 I get this:

--- Code: ---tc@E310:~$ ./ReadWtmp.sh < /var/log/wtmp | sort -r -k 3
Mon Oct 14 10:45:57 2024 Term tc pts/8 :0.0
Mon Oct 14 10:45:55 2024 Normal tc pts/8 :0.0
Mon Oct 14 09:22:07 2024 Normal tc pts/7 :0.0
Mon Oct 14 08:37:22 2024 Normal tc pts/7 :0.0
Sun Oct 13 12:26:17 2024 Term tc pts/7 :0.0
Sun Oct 13 08:26:48 2024 Normal tc pts/7 :0.0
Sun Oct 13 08:17:32 2024 Normal tc pts/5 :0.0
Sat Oct 12 09:46:46 2024 Term tc pts/5 :0.0
Sat Oct 12 09:32:51 2024 Normal tc pts/5 :0.0
Wed Oct 9 21:51:27 2024 Normal tc pts/5 :0.0
tc@E310:~$
--- End code ---
It shows 10 entries.
Note the two pts/8 entries. That was me opening then closing a terminal.
The last command only reports me opening the terminal at 10:45:55.

Just wanted to point that out in case anyone else notices that discrepancy.

Stefann:
Hi rich,
Thanks,
As said, it will need to wait until next weekend before I will try.
In the mean time I keep reading (on iPad with a whiskey on the couch :) ).

Based on this info: https://www.unix.com/aix/226435-wtmp-empty-everyday.html
They claim “better to overwrite than to remove” to avoid inode number gets changed which makes me feel your

--- Code: ---sudo mv NewWtmp /var/log/wtmp
--- End code ---
Is probably less wanted.

I was actually thinking to use your earlier “normal log” solution, modified to byte count:

--- Code: ---echo "$(tail -c 19200 /var/log/wtmp)” > /var/log/wtmp
--- End code ---

Which should give me 50 entires as 19200=50x384

I’m not trying now though. The moment I start doing so few hours pass by very quick and that does not fit the weekdays.

Rich:
Hi Stefann

--- Quote from: Stefann on October 14, 2024, 11:35:16 AM --- ... They claim “better to overwrite than to remove” to avoid inode number gets changed which makes me feel your

--- Code: ---sudo mv NewWtmp /var/log/wtmp
--- End code ---
Is probably less wanted. ...
--- End quote ---
I tried that initially but it won't work. The echo command strips out
all the zero chars (0x00) from the stream.

Try this:

--- Code: ---Entries=100 ; tail -c $(($Entries*384)) /var/log/wtmp > NewWtmp && sudo cp NewWtmp /var/log/wtmp; rm -rf NewWtmp
--- End code ---
That should leave the inode number unchanged.
See here:
https://stackoverflow.com/questions/62355054/copy-and-moves-command-effect-on-inode

Stefann:
Hi rich,
Thanks!
Will do,
As said.. need to wait for weekend

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version