/var/log/lastlog is a binary file that holds information about the last time that users logged in to the system. The lastlog file is a sparse file, which means that the apparent size reported by “ls -l” is larger than the actual disk usage of the file(du), because not all blocks in the file are allocated on disk.
Sparse file is a type of computer file that attempts to use file system space more efficiently when blocks allocated to the file are mostly empty. This is achieved by writing brief information (metadata) representing the empty blocks to disk instead of the actual “empty” space which makes up the block, using less disk space (i.e. sparse files contain blocks of zeros whose existence is recorded, but have no space allocated on disk). The full block size is written to disk as the actual size only when the block contains “real” (non-empty) data.
When reading sparse files, the file system transparently converts metadata representing empty blocks into “real” blocks filled with zero bytes at run-time. The application is unaware of this conversion. Sparse files are commonly used for disk images, database snapshots, log files, etc.
The lastlog file contains information about the last time a user has logged into the system. If you wish to retain this information, then use the lastlog command to export the log information before recreating the /var/log/lastlog file or copy the existing /var/log/lastlog file to alternate location.
1. Take backup of existing lastlog content.
# lastlog > /tmp/lastlog.txt
OR
# cp /var/log/lastlog /opt/lastlog.bkp
2. Now overwrite file using any one of the following command:
# >/var/log/lastlog
OR
# cat > /var/log/lastlog