Earlier today while investigating the logs on a CentOS Linux server I noticed the btmp file had grown to over 5GB. I was curious to look into the log and when attempting to read the 5GB file using last I received an error since last will only handle files that are 2GB in size or less. So what needs to happen is to split the file into multiple pieces so they can be read via the last command. Below I describe the error in detail, how to resolve it by splitting the btmp file into multiple files, and then how to join them together if you need to read logs older than the last split file.
Large btmp File Not Read By last Command On Linux:
- [root@dev log]# last -f btmp
- last: btmp: File too large
- [root@dev log]#
Use ls To View Size Of btmp File On CentOS Linux:
- [root@dev log]# ls -alh | grep btmp
- -rw------- 1 root utmp 5.0G Jan 17 12:27 btmp
- [root@dev log]#
Split btmp File Into Multiple Files To Read Using last:
- Install lxsplit: Install lxsplit using the EPEL repository on CentOS Linux. If the EPEL repo is not installed you can install it using the instructions located here. If you are using another distribution a quick Google search should return information on how to install lxsplit after which you can continue to the next step. On CentOS Linux the lxsplit via yum will look similar to the below.
- [root@dev log]# yum install lxsplit
- Loaded plugins: fastestmirror
- Loading mirror speeds from cached hostfile
- * addons: dist1.800hosting.com
- * atomic: www4.atomicorp.com
- * base: mirror.san.fastserv.com
- * epel: mirrors.tummy.com
- * extras: mirrors.tummy.com
- * rpmforge: ftp-stud.fht-esslingen.de
- * updates: mirror.raystedman.net
- Setting up Install Process
- Resolving Dependencies
- --> Running transaction check
- ---> Package lxsplit.i386 0:0.2.2-4.el5 set to be updated
- --> Finished Dependency Resolution
- Dependencies Resolved
- ====================================================================================================================================
- Package Arch Version Repository Size
- ====================================================================================================================================
- Installing:
- lxsplit i386 0.2.2-4.el5 epel 17 k
- Transaction Summary
- ====================================================================================================================================
- Install 1 Package(s)
- Upgrade 0 Package(s)
- Total download size: 17 k
- Is this ok [y/N]: y
- Downloading Packages:
- lxsplit-0.2.2-4.el5.i386.rpm | 17 kB 00:00
- Running rpm_check_debug
- Running Transaction Test
- Finished Transaction Test
- Transaction Test Succeeded
- Running Transaction
- Installing : lxsplit 1/1
- Installed:
- lxsplit.i386 0:0.2.2-4.el5
- Complete!
- [root@dev log]#
- Determine btmp Split Size: Based on the size of your btmp file you may want to split it into smaller or larger files using lxsplit. I recommend viewing lxsplit –help as displayed below to show you how lxsplit works and based on the amount of history from the btmp log that you need to read determine the size to split the file into.
- [root@dev log]# lxsplit --help
- LXSplit v0.2.2 by Richard Stellingwerff.
- Usage: lxsplit [OPTION] [FILE] [SPLITSIZE]
- Available options:
- -j : join the files beginning with the given name
- -s : split the given file. requires a valid size
- Splitsize examples: 15M, 100m, 5000k, 30000000b
- Examples:
- lxsplit -s hugefile.bin 15M
- lxsplit -j hugefile.bin.001
- [root@dev log]#
- Split btmp Log File: Now issue an lxsplit command similar to the below example to split the btmp log file down.
- [root@dev log]# lxsplit -s btmp 500M
- Splitting btmp into 11 pieces.
- btmp.001 524288000 bytes
- btmp.002 524288000 bytes
- btmp.003 524288000 bytes
- btmp.004 524288000 bytes
- btmp.005 524288000 bytes
- btmp.006 524288000 bytes
- btmp.007 524288000 bytes
- btmp.008 524288000 bytes
- btmp.009 524288000 bytes
- btmp.010 524288000 bytes
- btmp.011 80595328 bytes
- Done!
- [root@dev log]#
- Read New btmp Files With Last: You can immediately read the last btmp file that was split using lxsplit but you will need to join the last file and any of the other btmp chunks that you want read before you can read those files. Below we show examples of reading just the last btmp file which in this example is btmp.011 and by combining the last btmp split file with another btmp split file to read that as well.
Read Last btmp Split File:
- [root@dev btmp-tests]# last -f btmp.011 | more
- root ssh:notty 61.145.61.108 Mon Jan 17 09:02 gone - no logout
- root ssh:notty 61.145.61.108 Mon Jan 17 09:01 - 09:02 (00:00)
- root ssh:notty 61.145.61.108 Mon Jan 17 09:01 - 09:01 (00:00)
- root ssh:notty 61.145.61.108 Mon Jan 17 09:01 - 09:01 (00:00)
Join Last btmp Split File And Another btmp Split File:
- [root@dev btmp-tests]# cp -p btmp.001 btmp.a.001
- [root@dev btmp-tests]# cp -p btmp.011 btmp.a.002
- [root@dev btmp-tests]# lxsplit -j btmp.a.001
- Creating merged file `btmp.a'.
- Complete size: 604883328 in 2 files.
- Processing file `btmp.a.001' ...
- Processing file `btmp.a.002' ...
- Done!
- [root@dev btmp-tests]#
Notice how in the above example output that we combine the last and the first btmp file chunks and once this is completed you can read the output using last which will include the newest and the oldest btmp log file entries. You cannot read the btmp.001 file without combining it with the btmp.011 file created by lxsplit.
After reviewing the btmp file output that is necessary you should also configure logrotate to include the btmp file by reading this article on the subject.
