The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

wtmp, who, w, last

Discussion in 'General Discussion' started by GypsyMage, Mar 10, 2006.

  1. GypsyMage

    GypsyMage Member

    Joined:
    Apr 27, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    They all stopped logging. The wtmp hasn't been updated for 4 days now. Obviously, the other commands work off wtmp... why would my wtmp stop logging?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Could be wtmp is corrupt. Try renaming it out of the way and create a new one with:

    touch /var/log/wtmp
     
  3. GypsyMage

    GypsyMage Member

    Joined:
    Apr 27, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1

    That didn't help. I had tried removing and recreating wtmp, but no go. I even rebooted and lost my 250 day uptime. Still not fixed. I'm a bit concerned that I was hacked, but I ran chkroot and other scans with no success.

    Any help is appreciated!
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Restart system wide log daemon:
    /sbin/service syslog restart
     
  5. GypsyMage

    GypsyMage Member

    Joined:
    Apr 27, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    I already tried that, no go.
     
    #5 GypsyMage, Mar 21, 2006
    Last edited: Mar 21, 2006
  6. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Although it is hard to say what's goin'on with your server, but try killing all syslog processes and then start it again. See if that works. Also make sure the log files are there with the correct uid/gid.
     
  7. GypsyMage

    GypsyMage Member

    Joined:
    Apr 27, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    That also does not work. All permissions/groups are correct on the file.

    One thing that did strike me as weird... when I did the reboot `reboot`, it added a reboot line to the wtmp log. Do both reboot and sshd route to wtmp through PAM? Or are they handled differently?
     
  8. amal

    amal Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    I'm also having the same issue,.. :( Did u find a fix for it?
     
  9. GypsyMage

    GypsyMage Member

    Joined:
    Apr 27, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    No, I did not. I am still having the issue though. Everything works fine except for wtmp.
     
  10. bijo

    bijo Well-Known Member

    Joined:
    Aug 21, 2004
    Messages:
    475
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Hello,

    Is there any other wtmp file like wtmp.1 or wtmp.2. May be still it is writing on the wtmp.1 file. And also check the date of that files.

    ------------------------
    ls -al /var/log/wtmp*
    ------------------------

    If anyone of the file is modified by todays date move that file to /var/log/wtmp. Before moving to wtmp, you can test it using the following command
    --------------------------
    last -f /var/log/wtmp.1
    --------------------------

    May be it will help you.
     
  11. GypsyMage

    GypsyMage Member

    Joined:
    Apr 27, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    root@s1 [/var/log]# ls -al wtmp*
    -rw-rw-r-- 1 root utmp 12288 Mar 20 22:12 wtmp
    -rw-rw-r-- 1 root utmp 106752 Feb 28 21:35 wtmp.1
    -rw-rw-r-- 1 root utmp 20736 Mar 7 23:01 wtmp.old
    root@s1 [/var/log]#

    The March 20'th date is the last time I tried re-creating one.

    The reboot command still writes to wtmp, just not SSH/FTP.
     
  12. rahnuma

    rahnuma Registered

    Joined:
    Nov 25, 2002
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I am also having exactly same issue, I tried all above mentioned methods to make it working but nothing worked. One think I see with my log files that some time logrotate create an empty logfile but logging is being done on older file, like /var/log/messages is empty but loging is being written into /var/log/messages.1, does logrotate have something to do with this problem.???

    Regards,
     
  13. orudge

    orudge Member

    Joined:
    Oct 31, 2004
    Messages:
    14
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    United Kingdom
    I've been having this problem for a couple of months - it just spontaneously started not recording such details. Finally discovered today what seems to be the reason for it:

    http://kb.swsoft.com/article_133_1146_en.html

    (although the page is talking about Virtuozzo, the problem is actually with the sshd included with CentOS).

    It seems an sshd update may have caused this. I'm not sure if disabling PAM is a good idea in the way this article suggests. If you want to see who is logged in:

    ps ax | grep ssh

    ought to do the trick.

    Hope this helps!
     
  14. GypsyMage

    GypsyMage Member

    Joined:
    Apr 27, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    I'll be damned. That definately fixed the problem.

    From the bug report:
    Likewise though, I'm not too happy about having to disable Pam and use std unix login. Not that it matters on my box with 30 users, but still. I'm going to trace through the sshd stack and see where it's erroring for Pam.

    I'm running:
    OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

    Since it's an older version of openssl (.9.8) is the newest, I doubt it's an SSHD problem. Probably a pam or security update that cpanel pushed down. Any thoughts?
     
    #14 GypsyMage, May 11, 2006
    Last edited: May 11, 2006
  15. taotoon

    taotoon Well-Known Member

    Joined:
    Nov 14, 2004
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    UsePAM yes
    UseLogin yes


    I both use 'yes' and it works!
    I think the magic key is 'UseLogin yes'.

    By the way, ftp still didn't log.
     
  16. taotoon

    taotoon Well-Known Member

    Joined:
    Nov 14, 2004
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    I switch to proftpd and now logging...


    root@vps [~]# last
    root ttyp0 81.47.150.103 Fri Jun 23 08:21 still logged in
    taotoon ftpd12024 225.128.106.190 Thu Jun 22 18:41 - 19:01 (00:19)
    taotoon ftpd9696 225.128.106.190 Thu Jun 22 18:41 - 18:41 (00:00)
    thnow ftpd3867 225.128.106.190 Thu Jun 22 18:40 - 18:41 (00:01)
    taotoon ftpd1648 225.128.106.190 Thu Jun 22 18:39 - 18:40 (00:00)
    thnow ttyp1 225.128.106.190 Thu Jun 22 18:01 - 18:23 (00:21)
    root ttyp0 225.128.106.190 Thu Jun 22 18:00 - 00:54 (06:53)
    reboot system boot 2.6.8-022stab070 Mon Jun 19 16:12 (3+16:10)

    wtmp begins Mon Jun 19 16:12:29 2006
     
Loading...

Share This Page