Solved

I need a aix script to truncate wtmp to 90 days from today. Can't use logrotate not allowed.

Posted on 2014-11-10
10
279 Views
Last Modified: 2014-11-10
I need a script to truncate the wtmp to 90 days. I can't use logrotate.
Anyone have something similar out there?
0
Comment
Question by:craig Fenn
  • 6
  • 4
10 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 40433134
Hi,

I have a script to truncate the wtmp file to a certain number of lines (5000 in the example below):

LINES=5000
/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.full
tail -n $LINES /tmp/wtmp.full > /tmp/wtmp.short
/usr/sbin/acct/fwtmp -ic < /tmp/wtmp.short > /var/adm/wtmp
rm -f /tmp/wtmp.full /tmp/wtmp.short

Truncating by days would require much more effort. Do you really need it?
0
 

Author Comment

by:craig Fenn
ID: 40433141
I do.
I have something similar to that as well but this is a specific request.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 40433231
With

/usr/sbin/acct/fwtmp  < /var/adm/wtmp

do you see the last columns in this format:

 Mon Nov 10 18:26:38 Timezone 2014

i.e. exactly 6 fields from "day of week" to "year"? If you don't please post some sample lines!

(I don't need that date for calculations, I just need a criterion to distinguish between logon and logoff records!)
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 40433253
If the format of the last columns (date/time in readable format) is as specified above try this:

DAYS=90 # Number of days to be kept
NOW=$(date "+%s")
SECS=$((DAYS*86400))
CUT=$((NOW-SECS))
/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.full
awk -v cut=$CUT '!/openacct/ {check=$7; if(NF>13) check=$8; if(check>cut) print}' /tmp/wtmp.full > /tmp/wtmp.short
/usr/sbin/acct/fwtmp -ic < /tmp/wtmp.short > /var/adm/wtmp
rm -f /tmp/wtmp.full /tmp/wtmp.short
0
 

Author Comment

by:craig Fenn
ID: 40433332
This is what it looks like.
orastart orastart                     5 426196 0000 0000 1324297901                                  Mon Dec 19 07:31:41 EST 2011
         orastart                           8 426196 0000 0000 1324297963                                  Mon Dec 19 07:32:43 EST 2011
         ctrmc                               8 401604 0000 0000 1324297963                                  Mon Dec 19 07:32:43 EST 2011
orastart orastart                     5 889028 0000 0000 1324297963                                  Mon Dec 19 07:32:43 EST 2011
         orastart                           8 889028 0000 0001 1324297964                                  Mon Dec 19 07:32:44 EST 2011
startlaw startlaw                     5 889030 0000 0000 1324297964                                  Mon Dec 19 07:32:44 EST 2011
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 40433346
Do you really have a username in the first column of each line?

Obfuscatiing host or IP is of course OK, but removing it entirely is heavily misleading. I hope you didn't do that.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 40433378
Your posted output format given this is a clean solution:
#!/bin/ksh
DAYS=90 # Number of days to be kept
NOW=$(date "+%s")
SECS=$((DAYS*86400))
CUT=$((NOW-SECS))
/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.full
awk -v cut=$CUT '!/openacct/ {check=$(NF-6); if(check~"[a-zA-Z.]") check=$(NF-7); if(check>cut) print}' /tmp/wtmp.full >/tmp/wtmp.short
/usr/sbin/acct/fwtmp -ic < /tmp/wtmp.short > /var/adm/wtmp
rm -f /tmp/wtmp.full /tmp/wtmp.short

Open in new window

0
 

Author Comment

by:craig Fenn
ID: 40433439
I received the following error:
 

Syntax Error The source line is 1.
 The error context is
                !/openacct/ {check=$(NF-6); >>>  if($(NF-6)~[ <<<
 awk: 0602-502 The statement cannot be correctly parsed. The source line is 1.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 40433444
Somehow the double quotes around the regex must have been lost (?) The awk command should read:

awk -v cut=$CUT '!/openacct/ {check=$(NF-6); if($(NF-6)~"[a-zA-Z.]") check=$(NF-7); if(check>cut) print}' /tmp/wtmp.full >/tmp/wtmp.short
0
 

Author Closing Comment

by:craig Fenn
ID: 40433488
Worked Great!
Thanks so much!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello fellow BSD lovers, I've created a patch process for patching openjdk6 for BSD (FreeBSD specifically), although I tried to keep all BSD versions in mind when creating my patch. Welcome to OpenJDK6 on BSD First let me start with a little …
Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now