The login records for the ‘last‘ command are kept in a data file ‘/var/log/wtmp‘. The command ‘last’ parses this data file and gives back the output. There is also a provision for another data file ‘/var/log/btmp‘ to be created to store bad logins, which can be read using the command ‘lastb‘.
Using logrotate to rotate the wtmp/btmp files
To prevent a large volume of log files from filling up the ‘/var/log’ filesystem, there is a facility called as logrotate. A daily cron job calls this logrotate into action once a day. Logrotate consults its configuration file ‘/etc/logrotate.conf’ for instructions on which log files have to be rotated and when.
Logrotate’s configuration file is ‘/etc/logrotate.conf‘. Logrotate handles the rotation of /var/log/wtmp. As wtmp is not owned by a specific package, its logrotate configuration is not in /etc/logrotate.d but directly in /etc/logrotate.conf.
Here is the default configuration:
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
To make wtmp rotate more frequently (therefore preventing it to grow too much) change the frequency of the rotation from monthly to weekly and/or set a size-based threshold for rotation.
Examples of logrotate configurations
1. To have one years login information on your system, edit ‘/etc/logrotate.conf’ to have below configuration:
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
Either change the ‘monthly’ rotation to ‘yearly’, or keeping it at ‘monthly’ and change the rotate count to 13, as shown below.
/var/log/wtmp {
yearly
create 0664 root utmp
rotate 1
}
or
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 13
}
Reading the old wtmp files
To have the ‘last’ command read from an old rotated file, run the command as shown below:
# last -f [path to rotated file]