-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, 26 Dec 2015 11:10:06 -0800 Philip Guenther <guent...@gmail.com> wrote:
> On Sat, Dec 26, 2015 at 11:00 AM, Duncan Patton a Campbell > <campb...@neotext.ca> wrote: > ... > >> So, the file isn't growing. Why? Is the filesystem full? Is /var > >> not mounted read-write? > > # df > > Filesystem 512-blocks Used Avail Capacity Mounted on > > /dev/sd2a 49547260 8237420 38832480 18% / > > # mount > > /dev/sd2a on / type ffs (local) > > # last > > > > wtmp begins Sat Dec 26 11:55 2015 > > > > l /var/log/wtmp > > - -rw-r--r-- 1 root wheel 0 Dec 26 04:00 /var/log/wtmp > > > > And the only mention of wtmp in /etc is in newsyslog.conf > > > > newsyslog.conf:/var/log/wtmp 644 7 > > * $W6D4 B > > > > and in mtree/special > > mtree/special:wtmp type=file mode=0644 uname=root > > gname=wheel > > So what are you going to do next to track this down? ktrace a > getty/login process to see what happens when it does the open/write? > Reinstall/upgrade to known good binaries and see if it continues? Or > ignore it and hope it's not because someone guessed your password and > has installed a login binary that doesn't record anything in wtmp? > > > Philip Guenther > After further investigation, I'm gonna have to admit to not looking or reading deep enough. The problem occured when my syslog wrapped and reset all to null. then when last or whatever gets called if it finds nothing in the file it resets the sucker to "now".... Anyways that's what it looks like ... I've changed newsyslog.conf and we'll see. Thanks eh, Dhu - -- http://babayaga.neotext.ca/PublicKeys/Duncan_Patton_a_Campbell_pubkey.txt Ne obliviscaris, vix ea nostra voco. iF4EAREIAAYFAlaf8mEACgkQiY6AzzR1lzyKjAD9GoAnsuwWoeWisqnjHH5XA0Ml XRxwRX7eDEBcRzjJDVoA/RtwovaslsqPTKTz26N0icVYUxLrOwV8b5q81j3hsspq =OG1O -----END PGP SIGNATURE-----
