Last command doesn`t show all connections

jestin_virtual

Active Member
Sep 2, 2009
41
0
56
Hello !

i have 10 websites based on WHM , we are not selling share hosting and using server only for our company`s websites

i have never removed my Logs and i didn`t update Apache for long time !

when i check the "Last "Command all logs has started from 1st-Oct is it mean someone has access to our server and he has deleted the Logs ? (using this server since 2006)

However , history has not removed and i couldn`t find any command which could deleted my logs ,

it might be problem ? of course i couldn`t find anything in history but they could use MC to remove something

just let me know how to "Last" logs could be deleted !!

Thank You
 
Last edited:

Infopro

Well-Known Member
May 20, 2003
17,076
523
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
In your WHM, top left, type in the word rotation. Click the single result shown to check your log rotation settings the system handles for you. Your logs may simply have been rotated.

Older backed up logs for many things can be found in /var/log/ for example messages log is backed up to be messages.1 (or .2 .3 or .4)
 

jestin_virtual

Active Member
Sep 2, 2009
41
0
56
rotate has not been set in WHM !


and also please check the below settings :


[[email protected] /]# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

# system-specific logs may be also be configured here.
[[email protected] /]#
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
when i check the "Last" Command all logs has started from 1st-Oct is it mean someone has access to our server and he has deleted the Logs ? (using this server since 2006)

However , history has not removed and i couldn`t find any command which could deleted my logs ,

it might be problem ? of course i couldn`t find anything in history but they could use MC to remove something

just let me know how to "Last" logs could be deleted !!
The symptoms described are normal and indicates that your OS' logrotate configuration was (by default) setup to automatically rotate (archive and optionally compress) old wtmp log data. You can check if you have older copies of the wtmp log using the following command via root SSH access:
Code:
# ls -al /var/log/wtmp*
cPanel/WHM uses "cpanellogd" for its own log rotation features and does not change your OS' logrotate configuration. You may, however, view or modify your OS' logrotate configuration at any time, preferably after making appropriate backup copies.

Here is the path to logrotate's configuration file(s):
/etc/logrotate.conf
/etc/logrotate.d/

On a test system with CentOS v4, the wtmp log file is configured for rotation directly within logrotate.conf, but to help check where it may be on your system you can run the following command:
Code:
# grep -HinR "wtmp" /etc/logrotate.*
Please reference the following related "man" (manual) pages for more verbose documentation:
Code:
# man last
# man wtmp
# man logrotate
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
and also please check the below settings :

[[email protected] /]# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

# system-specific logs may be also be configured here.
[[email protected] /]#
The quoted logrotate configuration is normal and comes with your OS installation and specifically the logrotate software package, (not cPanel/WHM). The specific entry for "/var/log/wtmp" indicates your logrotate configuration is set to rotate the log data used by "last" on a monthly basis; this is why when using "last" it appeared to reset or only go back as far as the 1st day of the month.