Use the following command to read the contents of the file.
who /etc/security/failedloginThe condition of TTYs respawning too rapidly will create failed login entries. To clear the file after reading or saving the output, execute the following command:
cp /dev/null /etc/security/failedlogin
If a device name is typed incorrectly, as in rmto instead of rmt0, a file will be created in /dev called rmto. The command will normally proceed until the entire root file system is filled before failing. /dev is part of the root (/) file system. Look for entries that are not devices (that do not have a major or minor number).
Execute the following:
cd /dev ls -l |pg
Whereas a file size on an ordinary file would normally be seen, a device file will have two numbers separated by a comma.
Example:
crw-rw-rw- 1 root system 12,0 Oct 25 10:19 rmt0
If the output looks like the following, the file should be removed.
crw-rw-rw- 1 root system 9375473 Oct 25 10:19 rmto
NOTE: The /dev directory has some valid file names. Look for a file that has a large size (larger than 500 bytes).
NOTE: If system auditing is running, the /audit directory (default) may rapidly fill up and require attention.
Large files can be located with the find command. For example, to find all files in the root (/) directory larger than 1 MB, enter the following command:
find / -xdev -size +2048 -ls |sort -r +6
This will find all files greater than 1 MB and sort them in reverse order with the largest files first.
NOTE: When checking the root directory, entries from the /dev directory that have major and minor numbers instead of file sizes will be interspersed with real files and can be ignored.
Other useful find command flags may be helpful, such as the -newer flag. Review the product documentation to learn more about such flags.
NOTE: Before removing any files, the user should check to see if the file is currently in use by an active user process. Execute the following command:
fuser <filename>
filename is the file name that is being checked by the active user process. If a file is open at the time of removal, it is only removed from the directory listing. The blocks allocated to that file are not freed until the process holding the file open is killed.
/var/adm/wtmp is a file that is used to log all logins, rlogins and tn sessions. If it is not monitored it will grow indefinitely unless system accounting is running. System accounting will clear it out nightly. /var/adm/wtmp can either be cleared out or edited to remove old and unwanted information.
To clear /var/adm/wtmp, execute the following:
cp /dev/null /var/adm/wtmp
To edit the file and remove unwanted entries, execute the following:
/usr/sbin/acct/fwtmp < /var/adm/wtmp >/tmp/outEdit the /tmp/out file to remove unwanted entries then put the edited version back in wtmp by executing the following command:
/usr/sbin/acct/fwtmp -ic < /tmp/out > /var/adm/wtmp
This directory contains the error log, errlog. It is never cleared unless it is manually cleared. DO NOT cp /dev/null to it or it will disable the error logging functions of the system. A zero (0) length errlog file must be replaced from a backup tape.
First, stop the error daemon by entering:
/usr/lib/errstop
Second, remove or move to a different filesystem the following file:
/var/adm/ras/errlogNOTE: The historical error data is deleted if you remove the errlog file.
Third, restart the error daemon by entering:
/usr/lib/errdemon
NOTE: The trcfile file in this directory may be large due to a trace being run. The file can be removed by executing the following:
rm /var/adm/ras/trcfile
You may also have vmcore* files in the /var/adm/ras directory if your dump device is set to hd6 (which is the default). If these files are old and/or you do not wish to persue them, you may remove them.
While old vi sessions can be used to recover files that were abnormally terminated, these files can be deleted. However, the user may want to keep some of the newer ones in case users want to recover files. To recover a file, execute the following:
-r <filename> or -rThis will list all available files that are recoverable.
This file tracks the number of attempted uses of su and whether they are successful or not. This is a flat file and can be viewed and modified with a favorite editor. If it is removed it will be recreated by the next attempted su.
This is used by the snmpd daemon as a log. If the file is removed it will be recreated by the snmpd daemon.
NOTE: The size of this file can be limited so that it does not grow indefinitely by editing the /etc/snmpd.conf file under the section for size. This is in bytes.
NOTE: The find command can also be used to discover large files in /var. Execute the following:
find /var -xdev -size +2048 -ls| sort -r +6
NOTE: AIX provides a general system cleanup script called skulker located in the /usr/sbin directory. Before attempting to run the skulker command, look at the skulker entry in the product documentation. Read the script for details to determine what files it will delete and what time frame it will allow files to exist before deletion.
skulker may be run as a cron job using the following crontab entry:
0 3 * * * /usr/sbin/skulker
Consider limiting the errlog by the running these entries in cron:
0 11 * * * /usr/bin/errclear -d S,O 30 0 12 * * * /usr/bin/errclear -d H 90
Use the find command with the -size flag to attempt to locate large files or, if the file system just filled up, use the -newer flag to find recently modified files. To produce a file for the -newer flag to find against, use the following touch command:
touch <mmddhhmm filename>
From left to right, the following correspondences apply:
Execute the following command:
find /<filesystem_name> -xdev -newer <touched_file> -ls
Another useful flag for the find command will allow files to be located that have been changed in the last 24 hours.
For example:
find /<filesystem_name> -xdev -mtime 0 -ls
[ Doc Ref: 90605222714636 Publish Date: Oct. 19, 2000 4FAX Ref: 1609 ]