Menu
I just got an Amazon EC2 micro instance with Ubuntu 12.04.
The problem is that the last command isn't working ...
The error message is :
last: /var/log/wtmp: No such file or directory
Perhaps this file was removed by the operator to prevent logging last info.
Thanks in advance !
740
You most likely cleaned up your system logs in the /var/log/ folder a bit too carefully.
This is not a big deal to solve.
Step 1: Recreate the file using the following command
sudo touch /var/log/wtmp
Step 2: Set proper permissions
sudo chown root:utmp /var/log/wtmp
sudo chmod 0664 /var/log/wtmp
Late edit:
Question in the comments:
I'm pretty sure I didn't delete that particular one, can it be sign of an intrusion
The file is a log file used by the linux command last which
displays a list of all users logged in (and out) since that file was created
Sure - If I would be the intruder and I want to remove any signs of my visit I would probably remove my login from this log file, but most likely I would not delete the whole file as this would be a sign of intrusion. If I don't care and just want to wipe my trace I might just destroy the whole machine instead.
More likely reason for the missing reason is described in the book Hardening Linux by James Turnbull when talking about last and lastb
To start collecting the data required to populate the output of these commands, you need to create a couple of files to hold the data. Some distributions automatically create these files, but others require them to be created manually.
I am not a forensic expert, so I could not tell you how to detect an intrusion and I can't tell for sure you've not be the target of a hack, but personally I believe the described reason might be more realistic.
163
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
