Some of our Solaris 10 servers are monitored using SiteScope, which uses Telnet to probe certain ports (SSH is one of them) every few minutes. This is creating an insane amount of lines in /var/adm/wtmpx, and eventually make it so big (2,5G+) that we can no longer run the last command, or that the uptime command is unable to accurately show the true uptime of the server.
The error we get when trying to run the last command is this:
/var/adm/wtmpx: Value too large for defined data type
I have found ways we can clean this accounting log using a cron job (with the command /usr/lib/acct/fwtmp), and this works. This is not the issue. I was wondering if there would be a way to simply prevent connections from the monitoring user (in our case, user monsite) from creating entries in this accounting log at all.
Is this possible, and if so, how can I do it?
I've looked around and searched Google for a while, but couldn't find an answer to this question.
NOTE: We are very well aware that the monitoring solution we employ is perhaps not the best one, but we cannot change it at this time. Therefore, suggesting that we change it is not pertinent to this question. If you want to read more on the Sitescope monitoring solution we employ for those servers, please see its documentation here and look for Port Monitor, and Connecting to remote UNIX servers, which explains how it works.
Best Answer
Would you be able to try teeing the wtmp output to a different log, filtering out the monsite connections-
/usr/bin/egrep -A 5 monsite /var/log/wtmpx > /var/log/something_differentand then making an alias to last to point to this new log?/usr/bin/last -f <cleaner_wtmp_log>It's a tedious bandaid, although it should be able to keep wtmp manageable.