Link to home
Start Free TrialLog in
Avatar of craig Fenn
craig Fenn

asked on

I need a aix script to truncate wtmp to 90 days from today. Can't use logrotate not allowed.

I need a script to truncate the wtmp to 90 days. I can't use logrotate.
Anyone have something similar out there?
Avatar of woolmilkporc
woolmilkporc
Flag of Germany image
Hi,

I have a script to truncate the wtmp file to a certain number of lines (5000 in the example below):

LINES=5000
/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.full
tail -n $LINES /tmp/wtmp.full > /tmp/wtmp.short
/usr/sbin/acct/fwtmp -ic < /tmp/wtmp.short > /var/adm/wtmp
rm -f /tmp/wtmp.full /tmp/wtmp.short

Truncating by days would require much more effort. Do you really need it?
Avatar of craig Fenn
craig Fenn

ASKER

I do.
I have something similar to that as well but this is a specific request.
Avatar of woolmilkporc
woolmilkporc
Flag of Germany image
With

/usr/sbin/acct/fwtmp  < /var/adm/wtmp

do you see the last columns in this format:

 Mon Nov 10 18:26:38 Timezone 2014

i.e. exactly 6 fields from "day of week" to "year"? If you don't please post some sample lines!

(I don't need that date for calculations, I just need a criterion to distinguish between logon and logoff records!)
Avatar of woolmilkporc
woolmilkporc
Flag of Germany image
If the format of the last columns (date/time in readable format) is as specified above try this:

DAYS=90 # Number of days to be kept
NOW=$(date "+%s")
SECS=$((DAYS*86400))
CUT=$((NOW-SECS))
/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.full
awk -v cut=$CUT '!/openacct/ {check=$7; if(NF>13) check=$8; if(check>cut) print}' /tmp/wtmp.full > /tmp/wtmp.short
/usr/sbin/acct/fwtmp -ic < /tmp/wtmp.short > /var/adm/wtmp
rm -f /tmp/wtmp.full /tmp/wtmp.short
Avatar of craig Fenn
craig Fenn

ASKER

This is what it looks like.
orastart orastart                     5 426196 0000 0000 1324297901                                  Mon Dec 19 07:31:41 EST 2011
         orastart                           8 426196 0000 0000 1324297963                                  Mon Dec 19 07:32:43 EST 2011
         ctrmc                               8 401604 0000 0000 1324297963                                  Mon Dec 19 07:32:43 EST 2011
orastart orastart                     5 889028 0000 0000 1324297963                                  Mon Dec 19 07:32:43 EST 2011
         orastart                           8 889028 0000 0001 1324297964                                  Mon Dec 19 07:32:44 EST 2011
startlaw startlaw                     5 889030 0000 0000 1324297964                                  Mon Dec 19 07:32:44 EST 2011
Avatar of woolmilkporc
woolmilkporc
Flag of Germany image
Do you really have a username in the first column of each line?

Obfuscatiing host or IP is of course OK, but removing it entirely is heavily misleading. I hope you didn't do that.
Avatar of woolmilkporc
woolmilkporc
Flag of Germany image
Your posted output format given this is a clean solution:
#!/bin/ksh
DAYS=90 # Number of days to be kept
NOW=$(date "+%s")
SECS=$((DAYS*86400))
CUT=$((NOW-SECS))
/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.full
awk -v cut=$CUT '!/openacct/ {check=$(NF-6); if(check~"[a-zA-Z.]") check=$(NF-7); if(check>cut) print}' /tmp/wtmp.full >/tmp/wtmp.short
/usr/sbin/acct/fwtmp -ic < /tmp/wtmp.short > /var/adm/wtmp
rm -f /tmp/wtmp.full /tmp/wtmp.short

Open in new window

Avatar of craig Fenn
craig Fenn

ASKER

I received the following error:
 

Syntax Error The source line is 1.
 The error context is
                !/openacct/ {check=$(NF-6); >>>  if($(NF-6)~[ <<<
 awk: 0602-502 The statement cannot be correctly parsed. The source line is 1.
ASKER CERTIFIED SOLUTION
Avatar of woolmilkporc
woolmilkporc
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of craig Fenn
craig Fenn

ASKER

Worked Great!
Thanks so much!