7

My /var/log/lastlog file is huge. I know it's really only a few kilobytes, but tar isn't smart enough to know that, so when I image a virtual machine, my restore fails because it thinks I'm trying to load more data than I have capacity on my disk.

I want to delete /var/log/lastlog and stop any and all logging to the file. I'm aware of the security implications. This logging needs to stop to preserve my backup strategy.

I've made a change to /etc/pam.d/login which I was told would disable logging to /var/log/lastlog, but it does not appear to work as /var/log/lastlog keeps growing.

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
#session    optional   pam_lastlog.so

Any ideas?

EDIT

For anyone interested, I use Centrify Express to authenticate my users via LDAP. Centrify Express is "free", but one of the drawbacks is that I can't manage user UIDs via LDAP, so they are given a dynamic UID when they login to a server. Centrify picks some crazy high UID values (so they don't conflict with local users on the server, presumably). /var/log/lastlog is indexed by UID, and grows to accommodate the largest UID on the system. This means that when a Centrify user logs in, they get a UID in the upper-end of the UID range, which causes lastlog to allocate an obscene amount of space, according to the file system.

~$ ll /var/log/lastlog
-rw-rw-r-- 1 root root 291487675780 Apr 10 16:37 /var/log/lastlog
~$ du -h /var/log/lastlog
20K     /var/log/lastlog

More Into ---> Sparse Files

GregB
  • 217

4 Answers4

13

Try this command:

ln -sfn /dev/null /var/log/lastlog
jokerdino
  • 2,465
johnshen64
  • 4,701
4

The best solution here, in my opinion, is to use tar's -S / --sparse option to handle sparse files properly.

Jon Lasser
  • 1,475
2

if the 3rd party is using your system tar, rename tar to say, tar.real; then make a script called tar which will use -S only when called by the third-party software.

better, call the third-party via wrapper script which adds a special bin dir to the front of PATH, where you have the wrapper for tar, only works so long as third-party is not using absolute paths.

Tepal
  • 21
1

I'm using Arch linux with systemd. This works for me.

As root:

1. systemctl stop systemd-update-utmp
systemctl disable systemd-update-utmp
systemctl mask systemd-update-utmp

  1. cp /usr/lib/tmpfiles.d/var.conf /etc/tmpfiles.d/

  2. vi or nano /etc/tmpfiles.d/var.conf
    comment out these 3 lines:
    #f /var/log/wtmp 0664 root utmp -
    #f /var/log/btmp 0660 root utmp -
    #f /var/log/lastlog 0664 root utmp -

  3. rm the 3 files in question from /var/log

Done.

chrdev
  • 11