Trim wtmpx file in Solaris

Our root (/) partition is nearing 100% utilization and upon further investigation the wtmpx file is the main culprit. We need to trim or flush this file but we need to have a backup of this file for audit purposes.

Well from the wtmpx(1) man pages:

The utmpx and wtmpx files are extended database files that have superseded
the obsolete utmp and wtmp database files.

The utmpx database contains user access and accounting information for commands
such as who(1), write(1), and login(1). The wtmpx database contains the history
of user access and accounting information for the utmpx database.

If you really need this for your accounting, here are the steps to safely convert it to human readable and truncate it.

[email protected]# /usr/lib/acct/fwtmp < /var/adm/wtmpx > /tmp/wtmpx.orig
[email protected]# cat /dev/null > /var/adm/wtmpx
[email protected]# gzip /tmp/wtmpx.orig
[email protected]# cp /tmp/wtmpx.orig.gz /var/adm/

There you have it a truncated wtmpx file with a full and zipped backup of the old wtmpx.  I strongly recommend that you use wtmpx.<date> rather than wtmpx.orig if in case you need to truncate again in the future.

Below is the modified procedure making your backup wtmpx having a date on its filename:

[email protected]# /usr/lib/acct/fwtmp < /var/adm/wtmpx > /tmp/wtmpx.`date +%Y%m%d`
[email protected]# cat /dev/null > /var/adm/wtmpx
[email protected]# gzip /tmp/wtmpx.`date +%Y%m%d`
[email protected]# mv  /tmp/wtmpx.`date +%Y%m%d`.gz /var/adm/