Technology Errors

last: btmp: File too large, Read Large btmp Files

Earlier today while investigating the logs on a CentOS Linux server I noticed the btmp file had grown to over 5GB. I was curious to look into the log and when attempting to read the 5GB file using last I received an error since last will only handle files that are 2GB in size or less. So what needs to happen is to split the file into multiple pieces so they can be read via the last command. Below I describe the error in detail, how to resolve it by splitting the btmp file into multiple files, and then how to join them together if you need to read logs older than the last split file.

Technology Insights

How to Read /var/log/btmp, Rotate the btmp Log With Logrotate

The btmp log keeps track of failed login attempts. I have seen on a default linux setup with logrotate configured where the btmp log is left out of rotation and eventually grows out of hand. So first you want to make sure that the btmp log is rotated using logrotate with the below information.

Log Location:/var/log/btmp

To rotate the btmp log add the below to the logrotate.conf file located in the /etc directory.