Log Files

/var/adm/utmp

Contains information about who is currently logged in and is read by the who command. Do not trim or remove this file unless it becomes corrupt. Replaced by /var/adm/utmpx in Solaris 9.

Do not touch this file unless the who command gives corrupt output, in which case you can empty it (all users should be logged off first).

cp /dev/null /var/adm/utmp

/var/adm/wtmp

This contains an accumulative log of all users who have logged in. It is not a text file, but can be viewed using the who command (who /var/adm/wtmp). When users log in, they are added to both the utmp file and wtmp file. When they log out, they are removed from the utmp file but not wtmp. This file can grow very large if left unchecked. This file is being phased out to be replaced by wtmpx.

Empty the file when required.

cp /dev/null /var/adm/wtmp

/var/adm/wtmpx

This log file is similar to the wtmp file (and Solaris 9 has completely replaced it) in that it holds accumulated login information and is not a text file. It is read by the last command.

Empty the file when required.

cp /dev/null /var/adm/wtmpx

/var/adm/sulog

This is a text file containing a record of all attempts made by users to switch to another user's ID. The entry will contain a "+" if the attempt succeeded or a "-" if it failed. This should be looked through on a regular basis for anything suspicious, such as a user gaining access to root that shouldn't (see Chapter 1, "The System Administrator's Role").

This file can either be emptied or you could remove all but the last "X" number of lines.

If you wish to keep a long history of login attempts, this file can be rotated as shown in the housekeeping script at the end of this chapter.

/var/adm/messages

This text file is very important to the system administrator. It contains information on a variety of system events.

Solaris automatically rotates this file, so it should not need any special treatment.