On Sat, Dec 26, 2015 at 11:00 AM, Duncan Patton a Campbell <campb...@neotext.ca> wrote: ... >> So, the file isn't growing. Why? Is the filesystem full? Is /var >> not mounted read-write? > # df > Filesystem 512-blocks Used Avail Capacity Mounted on > /dev/sd2a 49547260 8237420 38832480 18% / > # mount > /dev/sd2a on / type ffs (local) > # last > > wtmp begins Sat Dec 26 11:55 2015 > > l /var/log/wtmp > - -rw-r--r-- 1 root wheel 0 Dec 26 04:00 /var/log/wtmp > > And the only mention of wtmp in /etc is in newsyslog.conf > > newsyslog.conf:/var/log/wtmp 644 7 * $W6D4 > B > > and in mtree/special > mtree/special:wtmp type=file mode=0644 uname=root gname=wheel
So what are you going to do next to track this down? ktrace a getty/login process to see what happens when it does the open/write? Reinstall/upgrade to known good binaries and see if it continues? Or ignore it and hope it's not because someone guessed your password and has installed a login binary that doesn't record anything in wtmp? Philip Guenther
