curious wtmp date

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
When I logged into one of my servers today I ran last and it showed only
one login. Which as far as I know is correct because I'm pretty sure that
I haven't logged into this server this month.  But I looked at the bottom
and saw that the line

wtmp begins Wed Jul 6 13:45:30 2005

I checked some other servers and they begin
wtmp begins Wed Jul 6 14:55:54 2005
wtmp begins Wed Jul 6  9:30:27 2005

All 3 of these files show the initial logon that I made today only.  Which
as far as I know this is correct since I rarely logon to these servers.

2 other servers which I logged into showed that the file begins when I
logged into them.

Another server shows
wtmp begins Fri Jul 1 15:43:32 2005
but doesn't show a login for this time, the first login is Jul 5

This seems to be a little odd to me.  Is this something I should be
concerned about or is there an explanation for this other than someone is
hacking the servers and manipulating the wtmp files.

Re: curious wtmp date

On Fri, 08 Jul 2005 20:57:20 -0500, Philip Washington
Quoted text here. Click to load it
Have you checked whether there are any "old" wtmp files?
(ls -l /var/log/*wtmp*)
Is it possible your machines have been rebooted, perhaps due to a power

Tonight you will pay the wages of sin; Don't forget to leave a tip.

Re: curious wtmp date

On Sat, 09 Jul 2005 00:31:03 -0400, Bill Marcum wrote:

Quoted text here. Click to load it
yes there is another file, wtmp.1.  This file start on June 5th with
correlating to a reboot.  I did look at /var/log/messages and the start
time for the wtmp file correlates to a logout.  But, there is a cron job
which runs on another server and copies files over to this server using
scp and this login shows up for July 4th but does not show up when I run

So far I have not been able to locate the cron job or configuration file
which tells the system how to handle different log files.  I know I've
seen it before, just can't remember right now where it is.  

Re: curious wtmp date

Philip Washington wrote:
Quoted text here. Click to load it

Many systems have cron jobs that clear wtmp weekly.

Tony Lawrence
Unix/Linux/Mac OS X  resources:

Re: curious wtmp date

Quoted text here. Click to load it

What you are seeing is the effect of normal log-rotation. Shouldn't be
anything to worry about.

Site Timeline