How to fix a corrupted wtmpx file on solaris

If the wtmpx files is corrupted then we could not able to get login details , like who all are logged in earlier . To fix this issue we need to perform below tasks.

Some of the key points to fix this issue

1). This issue one of the audit compliment in enterprise level

2). Lost all the earlier logged in details

3). This will not capture future logging info until unless fix the issue
4). It will useful when the major issue happen

These are procedure to  fix the corrupted wtmpx file:

How to determine whether wtmpx file is corrupted or not :

Actually today our date is Jan 24th but last command output says it is Aug 13 which is wrong, it mean wtmpx file got corrupted.

[root@tpt01 /var/adm]# uname -a
SunOS tpt01 5.10 Generic_147147-26 sun4u sparc SUNW,SPARC-Enterprise
[root@tpt01 /var/adm]# date
Fri Jan 24 15:04:08 EST 2014
[root@tpt01 /var/adm]# last | more
tptuser1 sshd 192.168.10.11 Fri  Aug 13 17:05  still logged in
tptuser2 pts/12 192.168.10.15 Fri  Aug 13 16:56  still logged in
tptuser3 sshd 192.168.10.16 Fri  Aug 13 16:56 - 16:59 (00:02)
tptuser4 pts/8 192.168.10.18 Fri  Aug 13 16:52 - 16:59 (00:06)
tptuser5 sshd 192.168.10.22 Fri  Aug 13 16:52 - 16:56 (00:03)
tptuser6 sshd 192.168.10.25 Fri  Aug 13 16:48 - 16:48 (00:00)
tptuser7 sshd 192.168.10.16 Fri  Aug 13 16:48 - 16:48 (00:00)
tptuser8 pts/12 192.168.10.18 Fri  Aug 13 16:30 - 16:34 (00:04)
tptuser9 sshd 192.168.10.22 Fri  Aug 13 16:30 - 16:34 (00:04)
tptuser1 pts/16 192.168.10.25 Fri  Aug 13 16:17 still logged in
[root@tpt01 /var/adm]#

Here is what I performed to fix this issue, in case you encounter similar type of issue.
1) Backup wtmpx log file

[root@tpt01 /]# cp -p /var/adm/wtmpx /var/adm/wtmpx.backup

2) use wtmpfix command to recover the corrupted file and save it in temporary file
This is the output I got:

[root@tpt01 /]# /usr/lib/acct/wtmpfix /var/adm/wtmpx > /var/adm/wtmpx.tmp
/var/adm/wtmpx: offset 164816832: nonzero pid or status in EMPTY record
/var/adm/wtmpx: offset 164816832: suspecting misaligned records, repositioning
/var/adm/wtmpx: offset 17197884: starting re-scan
/var/adm/wtmpx: offset 175267380: now recognizing aligned records again
/var/adm/wtmpx: offset 526582320: EOF reached after recovering from corruption in the middle of the file.  This file may need to be repaired by hand.
[root@tpt01/]# 

3) Check temporary file

[root@tpt01 /var/adm]# last -f wtmpx.tmp | more
tptuser1 sshd 192.168.10.11  Fri  Jan 24 15:03 - 15:03 (00:00)
tptuser2 pts/12 192.168.10.15  Fri  Jan 24 14:30 - 14:30 (00:00)
tptuser3 sshd 192.168.10.16  Fri  Jan 24 14:28 - 14:29 (00:01)
tptuser4 pts/8 192.168.10.18  Fri  Jan 24 14:16 - 14:16 (00:00)
tptuser5 sshd 192.168.10.22  Fri  Jan 24 14:16 - 14:16 (00:00)
tptuser6 sshd 192.168.10.25  Fri  Jan 24 14:13  still logged in
tptuser7 sshd 192.168.10.16  Fri  Jan 24 14:13 - 14:16 (00:02)
tptuser8 pts/12 192.168.10.18  Fri  Jan 24 13:29 - 13:29 (00:00)
tptuser9 sshd 192.168.10.22  Fri  Jan 24 13:29 - 13:29 (00:00)
tptuser1 pts/16 192.168.10.25  Fri  Jan 24 13:20 - 13:20 (00:00)
[root@tpt01 /var/adm]#

4) If above output command is shows the correct date and time then the issue got fixed so move the temporary file back to original location.

[root@tpt01 /var/adm]#mv /var/adm/wtmpx.tmp /var/adm/wtmpx

5). Check the original file again to confirm :

[root@tpt01 /]# last | more
tptuser1 sshd 192.168.10.11  Fri  Jan 24 15:03 - 15:03 (00:00)
tptuser2 pts/12 192.168.10.15  Fri  Jan 24 14:30 - 14:30 (00:00)
tptuser3 sshd 192.168.10.16  Fri  Jan 24 14:28 - 14:29 (00:01)
tptuser4 pts/8 192.168.10.18  Fri  Jan 24 14:16 - 14:16 (00:00)
tptuser5 sshd 192.168.10.22  Fri  Jan 24 14:16 - 14:16 (00:00)
tptuser6 sshd 192.168.10.25  Fri  Jan 24 14:13  still logged in
tptuser7 sshd 192.168.10.16  Fri  Jan 24 14:13 - 14:16 (00:02)
tptuser8 pts/12 192.168.10.18  Fri  Jan 24 13:29 - 13:29 (00:00)
tptuser9 sshd 192.168.10.22  Fri  Jan 24 13:29 - 13:29 (00:00)
tptuser1 pts/16 192.168.10.25  Fri  Jan 24 13:20 - 13:20 (00:00)
[root@tpt01 /]#

Thanks for reading this article...