We are using a lot of ssh sensors that provide very helpful information, and so we poll our Unix machines frequently. Each such poll is registered as a "login" in the system's /var/log/wtmp file, which grows rapidly and without bound. On some of our servers, there is little free disk space on the root partition, so this does cause us problems.
How to prevent wtmp from filling up?
Modified on 2025-06-10 13:30:20 +0200
Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.
Unfortunately this behavior depends on the linux distribution you are using.
You can circumvent the issue fine-tuning the logrotate-settings on the linux-system. The default-setting on many distribution is to rotate this file monthly and to keep one old file. This way you can reproduce logins for the last 30 - 60 days.
You can set up logrotate to rotate the file daily, compress the old data and keep the last 60 files. For example: default from the /etc/logrotate.conf /var/log/wtmp { missingok monthly create 0664 root utmp rotate 1 } can be modified to /var/log/wtmp { missingok daily create 0664 root utmp rotate 60 delaycompress dateext }
This will leave the current file (today) and the previous one (yesterday) uncompressed, compresses older files and adds a timestamp to the old file during rotation. Files older than 60 days are removed automatically.
Nov, 2014 - Permalink